Skip to content

Add SECURITY.md and notes on PVR#372

Merged
andyblundell merged 3 commits intomainfrom
anbl-add-security-md
Apr 23, 2026
Merged

Add SECURITY.md and notes on PVR#372
andyblundell merged 3 commits intomainfrom
anbl-add-security-md

Conversation

@andyblundell
Copy link
Copy Markdown
Contributor

@andyblundell andyblundell commented Apr 15, 2026

Summary

Adds a SECURITY.md file to the repository and documents best practices for allowing others to report security problems.

Changes

Added SECURITY.md

  • Provides guidance on how to report security vulnerabilities
  • Uses GitHub's Private Vulnerability Reporting (PVR) as the primary reporting method
  • Includes a direct link to the vulnerability reporting form for ease of use
  • Retains contact details for general security enquiries

Updated practices/securing-repositories.md

Added a new section "Allowing others to report security problems" covering:

  • Adding a SECURITY.md file to repositories
  • Enabling Security advisories
  • Enabling Private vulnerability reporting for public repositories
  • Monitoring and acting on security advisories

Also links to this repository's SECURITY.md as a working example.

Why

Public repositories should make it easy for security researchers and users to report vulnerabilities privately. GitHub's Private Vulnerability Reporting provides a low-friction, secure channel that doesn't require external reporters to manage email or tokens — they just need a GitHub account.

Checklist

  • SECURITY.md added to repository root
  • Private vulnerability reporting enabled in repository settings
  • Documentation updated with guidance for other teams

@andyblundell andyblundell requested a review from a team as a code owner April 15, 2026 17:29
regularfry
regularfry requested changes Apr 23, 2026
View reviewed changes
Comment thread SECURITY.md Outdated
Comment thread SECURITY.md Outdated
andyblundell and others added 2 commits April 23, 2026 10:39
@andyblundell @regularfry
Update SECURITY.md
e4955b6 
Co-authored-by: Alex Young <alex.young12@nhs.net>
@andyblundell @regularfry
Update SECURITY.md
ee103fd 
Co-authored-by: Alex Young <alex.young12@nhs.net>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 23, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@andyblundell andyblundell added this pull request to the merge queue Apr 23, 2026
Merged via the queue into main with commit 850bd96 Apr 23, 2026
3 checks passed
@andyblundell andyblundell deleted the anbl-add-security-md branch April 23, 2026 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@regularfry regularfry regularfry approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andyblundell @regularfry