Do you have a demo or examples in a specific repository? Or perhaps you have a functionality that needs time to mature, and you publish it in the open source spirit, but nobody should use it (yet) in a production setup?
If you have such a code, mark it clearly in the project repository! Potential users might miss the documentation, especially if the remark "do not use in production" is in the middle of the 43rd paragraph...
The Eclipse Foundation security team provides templates of SECURITY.md (the file security researchers look for when contacting your project). We have recently added a new template: https://github.com/eclipse-csi/security-handbook/blob/main/templates/example-code-SECURITY.md. This one is nearly the same as the standard one, but it adds the "do not use in production" mark.
Adjust the template to your project’s needs!
For more templates, guidelines, and other resources, see the Eclipse Common Security Infrastructure (Eclipse CSI) project repository!
About SECURITY.md
Security researchers look into the SECURITY.md file to find a way to contact your project and report potential security issues. The file should be in each of your project's repositories and should contain at least the link to the Eclipse Foundation vulnerability reporting systems.
You can adapt it to your needs and include information like:
- The list of supported versions
- Any additional information you ask the reporters to provide
- Any helpful links, like your secure configuration guide
You can find the default template at https://github.com/eclipse-csi/security-handbook/blob/main/templates/SECURITY.md
Let's discuss the use of SECURITY.md in this discussion thread: https://github.com/orgs/eclipse-csi/discussions/5