Hello maintainers,
While reviewing OWASP project repositories, I noticed that the OWASP Top 10 repository currently does not include a SECURITY.md file or a documented security policy for reporting vulnerabilities related to the repository itself (e.g., CI/CD workflows, repository configuration, or infrastructure-related issues).
Several other OWASP projects already maintain a security policy to guide responsible disclosure and reduce the risk of accidental public reporting.
For reference, I recently worked on a similar security-hardening effort in another OWASP project, where a security-related improvement was accepted via PR:
Related PR: [https://github.com/OWASP/www-project-vulnerable-web-applications-directory/pull/180]
Introducing a SECURITY.md here could help:
Provide a clear disclosure path for repository or workflow vulnerabilities
Align OWASP Top 10 with GitHub security best practices
Improve consistency across OWASP-managed projects
I’d be happy to open a PR with a minimal, OWASP-aligned SECURITY.md if this is something the maintainers agree would be useful.
Thank you for your time and for maintaining this important project.
Best regards,
Savio D’souza
Hello maintainers,
While reviewing OWASP project repositories, I noticed that the OWASP Top 10 repository currently does not include a SECURITY.md file or a documented security policy for reporting vulnerabilities related to the repository itself (e.g., CI/CD workflows, repository configuration, or infrastructure-related issues).
Several other OWASP projects already maintain a security policy to guide responsible disclosure and reduce the risk of accidental public reporting.
For reference, I recently worked on a similar security-hardening effort in another OWASP project, where a security-related improvement was accepted via PR:
Related PR: [https://github.com/OWASP/www-project-vulnerable-web-applications-directory/pull/180]
Introducing a SECURITY.md here could help:
Provide a clear disclosure path for repository or workflow vulnerabilities
Align OWASP Top 10 with GitHub security best practices
Improve consistency across OWASP-managed projects
I’d be happy to open a PR with a minimal, OWASP-aligned SECURITY.md if this is something the maintainers agree would be useful.
Thank you for your time and for maintaining this important project.
Best regards,
Savio D’souza