Merge pull request #27 from TezRomacH/feature/security

🔒 added SECURITY.md and configs

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,3 @@
+# Configuration: https://help.github.com/en/github/building-a-strong-community/configuring-issue-templates-for-your-repository
+
+blank_issues_enabled: false

.github/ISSUE_TEMPLATE/security.md

@@ -0,0 +1,15 @@
+---
+name: 🔐 Security Issue
+about: Reporting Security Issues ❗️
+title: ''
+labels: security
+assignees:
+---
+
+## 🔐 Reporting Security Issues
+
+> Do not open issues that might have security implications!
+> It is critical that security related issues
+are reported privately so we have time to address them before they become public knowledge
+
+## ❗️ Read [`SECURITY.md`](https://github.com/TezRomacH/python-package-template/blob/master/SECURITY.md) to know how to report security issues

.github/PULL_REQUEST_TEMPLATE.md

@@ -15,6 +15,7 @@
 - [ ] 🥂 Improvement (non-breaking change which improves an existing feature)
 - [ ] 🚀 New feature (non-breaking change which adds functionality)
 - [ ] 💥 Breaking change (fix or feature that would cause existing functionality to change)
+- [ ] 🔐 Security fix
 
 ## Checklist
 

README.md

@@ -49,7 +49,7 @@ For building and deployment:
 For creating your open source community:
 
 - Ready-to-use [Pull Requests templates](https://github.com/TezRomacH/python-package-template/blob/master/%7B%7B%20cookiecutter.project_name%20%7D%7D/.github/PULL_REQUEST_TEMPLATE.md) and several [Issue templates](https://github.com/TezRomacH/python-package-template/tree/master/%7B%7B%20cookiecutter.project_name%20%7D%7D/.github/ISSUE_TEMPLATE).
-- Files such as: `LICENSE`, `CONTRIBUTING.md`, and `CODE_OF_CONDUCT.md` are generated automatically.
+- Files such as: `LICENSE`, `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, and `SECURITY.md` are generated automatically.
 - [`Stale bot`](https://github.com/apps/stale) that closes abandoned issues after a period of inactivity. (You will only [need to setup free plan](https://github.com/marketplace/stale)). Configuration is [here](https://github.com/TezRomacH/python-package-template/blob/master/%7B%7B%20cookiecutter.project_name%20%7D%7D/.github/.stale.yml).
 - [Semantic Versions](https://semver.org/) specification with [`Release Drafter`](https://github.com/marketplace/actions/release-drafter).
 
@@ -354,7 +354,6 @@ Here is a list of things that have yet to be implemented:
 - Code metrics with [`Radon`](https://github.com/rubik/radon).
 - Docstring coverage with [`interrogate`](https://github.com/econchick/interrogate)
 - `Dockerfile` linting with [`dockerfilelint`](https://github.com/replicatedhq/dockerfilelint).
-- Add `SECURITY.md` and `security_report.md` to issue templates. Add security checkbox in `pull_request_template.md`.
 - [Hall of fame](https://github.com/sourcerer-io/hall-of-fame) from `Sourcerer`.
 - Some advanced Python linting (?).
 - Update `pre-commit` hooks to [locals](https://pre-commit.com/#repository-local-hooks) (?).

SECURITY.md

@@ -0,0 +1,27 @@
+# Security
+
+## 🔐 Reporting Security Issues
+
+> Do not open issues that might have security implications!
+> It is critical that security related issues are reported privately so we have time to address them before they become public knowledge.
+
+Vulnerabilities can be reported by emailing core members:
+
+- Roman Tezikov [[email protected]](mailto:[email protected])
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Environment (e.g. Linux / Windows / macOS)
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Preferred Languages
+
+We prefer all communications to be in English.

{{ cookiecutter.project_name }}/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,3 @@
+# Configuration: https://help.github.com/en/github/building-a-strong-community/configuring-issue-templates-for-your-repository
+
+blank_issues_enabled: false

{{ cookiecutter.project_name }}/.github/ISSUE_TEMPLATE/security.md

@@ -0,0 +1,15 @@
+---
+name: 🔐 Security Issue
+about: Reporting Security Issues ❗️
+title: ''
+labels: security
+assignees:
+---
+
+## 🔐 Reporting Security Issues
+
+> Do not open issues that might have security implications!
+> It is critical that security related issues
+are reported privately so we have time to address them before they become public knowledge
+
+## ❗️ Read [`SECURITY.md`](https://github.com/{{ cookiecutter.github_name }}/{{ cookiecutter.project_name }}/blob/master/SECURITY.md) to know how to report security issues

{{ cookiecutter.project_name }}/.github/PULL_REQUEST_TEMPLATE.md

@@ -15,6 +15,7 @@
 - [ ] 🥂 Improvement (non-breaking change which improves an existing feature)
 - [ ] 🚀 New feature (non-breaking change which adds functionality)
 - [ ] 💥 Breaking change (fix or feature that would cause existing functionality to change)
+- [ ] 🔐 Security fix
 
 ## Checklist
 

{{ cookiecutter.project_name }}/README.md

@@ -121,7 +121,7 @@ For building and deployment:
 For creating your open source community:
 
 - Ready-to-use [Pull Requests templates](https://github.com/{{ cookiecutter.github_name }}/{{ cookiecutter.project_name }}/blob/master/.github/PULL_REQUEST_TEMPLATE.md) and several [Issue templates](https://github.com/{{ cookiecutter.github_name }}/{{ cookiecutter.project_name }}/tree/master/.github/ISSUE_TEMPLATE).
-- Files such as: `LICENSE`, `CONTRIBUTING.md`, and `CODE_OF_CONDUCT.md` are generated automatically.
+- Files such as: `LICENSE`, `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, and `SECURITY.md` are generated automatically.
 - [`Stale bot`](https://github.com/apps/stale) that closes abandoned issues after a period of inactivity. (You will only [need to setup free plan](https://github.com/marketplace/stale)). Configuration is [here](https://github.com/{{ cookiecutter.github_name }}/{{ cookiecutter.project_name }}/blob/master/.github/.stale.yml).
 - [Semantic Versions](https://semver.org/) specification with [`Release Drafter`](https://github.com/marketplace/actions/release-drafter).
 

{{ cookiecutter.project_name }}/SECURITY.md

@@ -0,0 +1,27 @@
+# Security
+
+## 🔐 Reporting Security Issues
+
+> Do not open issues that might have security implications!
+> It is critical that security related issues are reported privately so we have time to address them before they become public knowledge.
+
+Vulnerabilities can be reported by emailing core members:
+
+- {{ cookiecutter.organization }} [{{ cookiecutter.email }}](mailto:{{ cookiecutter.email }})
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Environment (e.g. Linux / Windows / macOS)
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Preferred Languages
+
+We prefer all communications to be in English.