While looking through the repo's Security tab, I noticed GitHub flags
this project as not having a security policy set up yet.
For a repo of this size (94k+ stars, widely used as a learning resource
for design patterns), that feels like a gap worth closing. There's already
been at least one published security advisory for this project
(GHSA-85mx-2hxh-5r8p), which suggests the lack of a documented process
isn't just theoretical — contributors and users genuinely don't have a
clear path for reporting something sensitive if they find it.
A basic SECURITY.md would help with a few things:
- Tells people which branches/versions are actually maintained, so they
know if a report even applies
- Gives a clear, private way to report a vulnerability instead of people
defaulting to a public issue (which isn't ideal for anything sensitive)
- Sets expectations on response time, so reporters aren't left guessing
I don't think this needs to be complicated — even a short, standard
SECURITY.md following GitHub's own template would close the gap. If it's
useful, I'm happy to put together a draft and open a PR for it rather than
just leaving this as a suggestion.
While looking through the repo's Security tab, I noticed GitHub flags
this project as not having a security policy set up yet.
For a repo of this size (94k+ stars, widely used as a learning resource
for design patterns), that feels like a gap worth closing. There's already
been at least one published security advisory for this project
(GHSA-85mx-2hxh-5r8p), which suggests the lack of a documented process
isn't just theoretical — contributors and users genuinely don't have a
clear path for reporting something sensitive if they find it.
A basic SECURITY.md would help with a few things:
know if a report even applies
defaulting to a public issue (which isn't ideal for anything sensitive)
I don't think this needs to be complicated — even a short, standard
SECURITY.md following GitHub's own template would close the gap. If it's
useful, I'm happy to put together a draft and open a PR for it rather than
just leaving this as a suggestion.