Laravel Packages

Package Pages

A good readme file contains a section on security. When sharing your code via open source you can be held reliable depending on your chosen license. There are multiple ways to go about adding this security section.

What is the security section?

The security section of your readme.md file specifies how you want to be told about security vulnerabilities.

The basic security section

An essential security section is added to your README.md file, which serves as the index for your project/package. This section can be as extensive or simple as you want, let's look at the simple version first.

A basic security section looks as follows:

## Security

If you discover any security related issues, please email YOUR_EMAIL instead of using the issue tracker.

An SECURITY.MD file

If you host your code on GitHub which we recommend you can create a .github/SECURITY.md file. That way GitHub can hook into this file and use it for example in your issue creation process. More information on what GitHub can do for you with this file can be found here: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

Why do you need a security section?

When sharing your code online others might find security vulnerabilities in that code that you might have missed, instead of sharing the vulnerability into the open world where everyone can abuse it. The finder of the vulnerability can share it only with you the maintainer/creator. This sharing is usually done through email or a bug bounty program.

PGP

PGP stands for "Pretty Good Privacy" and can be used to encrypt information such as email. Some opensource projects like Laravel share their public PGP key, check out their PGP key here: https://github.com/laravel/framework/security/policy#public-pgp-key

Bug bounty programs

Bug bounty programs like HackerOne community edition provide a platform to manage and control vulnerabilities. We do only recommend going this route if your project is of significant size. Check out their platform here: https://www.hackerone.com/company/open-source-community

Conclusion

Your open-source project/package should have a security section so that you can deal with any security problems that might be present in your project/package. It provides a way for hackers or other programmers to reach out to you in case they find any vulnerabilities.