Create a Security Policy

[eslerm]

gunicorn lacks a SECURITY.md

Recent security sensitive bugs have been reported privately, not been addressed, and then reported publicly #3091. That reporter is disclosing security reports publicly now #3104.

By defining a Security Policy, gunicorn can set clear expectations to reporters who want to keep gunicorn and users safe. Here's GitHub Security's policy as an example.

Another option is to use GitHub's private vulnerability reporting feature: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

[benoitc]

Hi, Thanks for your message; https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository looks a good plan. I will enable it asap. The PR is about to be merged also.

[juhoinkinen]

I think it would not hurt to have a SECURITY.md in addition to the GitHub's Vulnerability reporting feature; in SECURITY.md there could be an instruction to use the feature (which I think is a new one, currently with beta status? And it is perhaps not as easily findable as the SECURITY.md file).

The SECURITY.md could have also other security related info, like how-to-use-gunicorn-securely, see e.g. https://github.com/tensorflow/tensorflow/security.

[eslerm]

Thank you for working on this 🙏

Please note that the Report a vulnerability button is not yet available as stated in the SECURITY.md (see this guide for configuration).

[eslerm]

@benoitc could this issue be re-opened until the current SECURITY.md is implemented?