From f44c51120cbcd13ffb7d04f308583ad057da50d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 15 Sep 2025 14:33:37 +0200 Subject: [PATCH 1/2] docs: add security escalation policy --- .github/SECURITY.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 3a2ccda92d..7ff562a0d9 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -2,6 +2,13 @@ Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report. +**Escalation** + +If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`. + +If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate. + + ## OpenSSF CII Best Practices [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/684/badge)](https://bestpractices.coreinfrastructure.org/projects/684) From fc0e8e431a333a53e1f5c6c29e849a0efd8208b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 15 Sep 2025 21:14:23 +0200 Subject: [PATCH 2/2] Update .github/SECURITY.md Co-authored-by: Jordan Harband --- .github/SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 7ff562a0d9..83f7041e30 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -2,7 +2,7 @@ Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report. -**Escalation** +## Escalation If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.