Skip to content

Add a SECURITY.md in every public repo #281

Closed
Closed
Add a SECURITY.md in every public repo#281
Assignees
jameslamb
@jameslamb

Description

@jameslamb
jameslamb
opened on May 27, 2026

Description

GitHub has special handling of a root-level file named SECURITY.md. From https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/adding-a-security-policy-to-your-repository

give instructions for how to report a security vulnerability in your project by adding a security policy to your repository

This tracks the work of adding a file like that to every RAPIDS repo.

Benefits of this work

Why not just use an org-wide default file?

For a few years, we've had a default org-wide file with that information at https://github.com/rapidsai/.github/blob/e9b5cddd57020c5dc4f88bf8fa62fc7eaaf3ef13/SECURITY.md.

That's helpful! It by default populates the "security policy" link displayed on project homepages:

Image

ref: https://github.com/rapidsai/cudf?tab=security-ov-file#readme

But adding actual files to each repo adds some benefits:

  • ensures security policy travels with the repo to forks, clones, mirrors, etc.
  • allows per-repo governance over the security policy (via PR review, CODEOWNERS, etc.)

Acceptance Criteria

  • every public RAPIDS repo has an up-to-date SECURITY.md describing how to report security issues
  • repo-wide default security policy is up to date

Approach

Then update all the others (rapids-reviser can help):

Notes

N/A

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions