Skip to content

Commit b17503d

Browse files
UlisesGasconUlisesGascon
authored
docs: add blog post 2025-03-17-security-policy-update
- Related: yeoman/.github#21 - Related: yeoman/.github#1
1 parent 330f7ce commit b17503d

File tree

1 file changed

+37
-0
lines changed

1 file changed

+37
-0
lines changed

app/_posts/blog/2025-03-17-security-policy-update.md

+37
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
---
2+
layout: blog
3+
title: How Yeoman is Enhancing Security Through Policy Updates
4+
---
5+
6+
This is just the start. We're also working on a **deeper security initiative** to strengthen Yeoman for the long haul. If you're curious or want to contribute, check out the discussion [here](https://github.com/yeoman/.github/issues/1).
7+
8+
---
9+
We're not just dusting off old code. As part of our **[Maintenance Reboot Initiative](https://yeoman.io/blog/maintenance-reboot)**, we're rebuilding Yeoman for the future—stronger, faster, and definitely more secure.
10+
11+
That’s why we’ve rolled out an updated **[Security Policy](https://github.com/yeoman/.github/blob/main/SECURITY.md)** to keep our ecosystem locked down tight. If you're into open source (and we know you are), here's how you can help keep Yeoman secure.
12+
13+
## How to Report a Vulnerability (Without Blowing Up the Internet)
14+
15+
- **Found something shady?**
16+
- **Step 1:** **Do NOT open a public issue!**
17+
- **Step 2:** Report it privately through [GitHub Security Advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
18+
- **Step 3:** Can’t use GitHub? Check the [security policy](https://github.com/yeoman/.github/blob/main/SECURITY.md) for an alternative option.
19+
20+
Why private? Because public issues can give attackers a head start, and we’re not here for that.
21+
22+
## What Happens After?
23+
24+
- You'll hear from us within **2–5 working days** (we're fast, but coffee breaks exist).
25+
- We aim to squash confirmed vulnerabilities within **30 days**—complex issues might take a bit longer.
26+
- You’ll be looped in throughout the process. Transparency is key.
27+
- Once fixed, we’ll shout out your name (if you want) as a thank-you!
28+
29+
## Rewards? Not Yet. Recognition? Absolutely.
30+
31+
No, there’s no bug bounty (for now). But responsible disclosures get you serious street cred in the Yeoman community. We’ll acknowledge your contributions (with your consent) after a fix is out.
32+
33+
34+
**Happy hacking 🎩**
35+
36+
– The Yeoman Maintainers Team
37+
[@UlisesGascon](https://github.com/UlisesGascon) and [@JoshuaKGoldberg](https://github.com/JoshuaKGoldberg)

0 commit comments

Comments
 (0)