Skip to content

Commit

Permalink
Fix scorecard issues (#56)
Browse files Browse the repository at this point in the history 
* fix #10, token-permissions

* Fix #8, pinned-dependencies

* Fix #7, Security-Policy
  • Loading branch information
@bcodesido
bcodesido authored Jan 10, 2025
1 parent 58fd101 commit e526075
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 2 deletions.
6 changes: 4 additions & 2 deletions .github/workflows/publish_npm.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ name: Deploy library on NPM
on:
release:
types: [created]


# Declare default permissions as read only.
permissions: read-all

jobs:
publish:
Expand All @@ -15,7 +17,7 @@ jobs:

- name: "Check file existence"
id: check_files
uses: andstor/file-existence-action@v3
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
with:
files: "package.json, README.md"

Expand Down
27 changes: 27 additions & 0 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Reporting Security Issues

The Rootstock team and community take security bugs in rootstock seriously. Beside this project is out of our Bug Bounty Program scope, we appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.


## Responsible Disclosure

For all security related issues, rsk-utils has two main points of contact. Reach us at <[email protected]> or use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/rsksmart/rsk-utils/security/advisories/new) tab.

The Rootstock team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

**Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/rsksmart/rsk-utils/issues).

## Vulnerability Handling

### Response Time

RootstockLabs will make a best effort to meet the following response times for reported vulnerabilities:

* Time to first response (from report submit) - 5 business days
* Time to triage (from report submit) - 7 business days

We’ll try to keep you informed about our progress throughout the process.

### Disclose Policy

Follow our [disclosure guidelines](https://www.rootstocklabs.com/bounty-program/).

0 comments on commit e526075

Please sign in to comment.