Adding a security policy to your repository

You can give instructions for how to responsibly report a security vulnerability in your project by adding a security policy to your repository.

In this article

About security policies

To give people instructions for responsibly reporting security vulnerabilities in your project, you can add a SECURITY.md file to your repository's root, docs, or .github folder. When someone creates an issue in your repository, they will see a link to your project's security policy.

You can create a default security policy for your organization. For more information, see "Creating a default community health file for your organization."

Tip: To help people find your security policy, you can link to your SECURITY.md file from other places in your repository, such as your README file. For more information, see "About READMEs."

After someone reports a security vulnerability in your project, you can create a maintainer security advisory to disclose, fix and publish information about the vulnerability. For more information, see "About maintainer security advisories."

Adding a security policy to your repository

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Security.

    Security tab

  3. In the left sidebar, click Policy.

    Policy tab

  4. Click Start setup.

    Start setup button

  5. In the new SECURITY.md file, add information about supported versions of your project and how to report a vulnerability.

  6. At the bottom of the page, type a short, meaningful commit message that describes the change you made to the file. You can attribute the commit to more than one author in the commit message. For more information, see "Creating a commit with multiple co-authors."

    Commit message for your change

  7. Below the commit message fields, click the email address drop-down menu and choose a Git author email address. Only verified email addresses appear in this drop-down menu. If you enabled email address privacy, then <username>@users.noreply.github.com is the default commit author email address. For more information, see "Setting your commit email address."

    Choose commit email addresses

  8. Below the commit message fields, decide whether to add your commit to the current branch or to a new branch. If your current branch is master, you should choose to create a new branch for your commit and then create a pull request.

    Commit branch options

  9. Click Propose file change.

    Propose file change button

Further reading

Ask a human

Can't find what you're looking for?

Contact us