From bfc55882a2a3e6459e0002487d9420e99a0febd2 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Wed, 21 Jan 2026 15:08:08 +0100 Subject: [PATCH] Add SECURITY.md to cookiecutter template --- doc/changes/unreleased.md | 1 + .../{{cookiecutter.repo_name}}/SECURITY.md | 25 +++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 project-template/{{cookiecutter.repo_name}}/SECURITY.md diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index 1fad4d6ff..5a59ba5a8 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -39,6 +39,7 @@ take care and will need to make manual changes to ensure it still works with * #649: Restricted noxconfig usage throughout exasol.toolbox to only exasol.toolbox.nox.* * #647: Added summary to changelog template * #657: Updated `release:prepare` to modify cookiecutter template exasol-toolbox version range +* #665: Added SECURITY.md to the cookiecutter template ## Refactoring diff --git a/project-template/{{cookiecutter.repo_name}}/SECURITY.md b/project-template/{{cookiecutter.repo_name}}/SECURITY.md new file mode 100644 index 000000000..b5d90cf66 --- /dev/null +++ b/project-template/{{cookiecutter.repo_name}}/SECURITY.md @@ -0,0 +1,25 @@ +# Security + +If you believe you have found a new security vulnerability in this repository, please report it to us as follows. + +## Reporting Security Issues + +* Please do **not** report security vulnerabilities through public GitHub issues. + +* Please create a draft security advisory on the Github page: the reporting form is under `> Security > Advisories`. The URL is https://github.com/exasol/python-toolbox/security/advisories/new. + +* If you prefer to email, please send your report to `infosec@exasol.com`. + +## Guidelines + +* When reporting a vulnerability, please include as much information as possible, including the complete steps to reproduce the issue. + +* Avoid sending us executables. + +* Feel free to include any script you wrote and used but avoid sending us scripts that download and run binaries. + +* We will prioritise reports that show how the exploits work in realistic environments. + +* We prefer all communications to be in English. + +* We do not offer financial rewards. We are happy to acknowledge your research publicly when possible.