Atul Prakash, an electrical engineering and computer science professor, is part of a research team studying the process GitHub has in place for disclosing security issues. The international group of researchers studied the prevalence of vulnerable libraries used on GitHub and the ways in which those vulnerabilities are reported.
They found that 385 of 600 open-source Java projects used at least one vulnerable library. Only 19 projects had a security reporting process. The team’s research culminated in a list of recommendations to help GitHub develop a standardized method to report security vulnerabilities. One recommendation is to add a SECURITY.md file with contact information and the disclosure policy of the project.
“What you don’t want to see is a SECURITY.md file with nothing in it,” Prakash said. “I think the jury is still out on how effective this is going to be, but the hope is, it encourages people to start taking security more seriously, even in open-source projects.”