SSWG - Security requirements for packages on the index

SSWG security requirements for packages on the index

This information is intended for package authors who have packages incubated by the SSWG and listed on the package index or are looking into pitching/proposing their package to be listed. If instead you found (or have heard of) a security vulnerability you’d like to report, please have a look over here.


Packages that are incubated by the SSWG and are listed on the SSWG’s package index are required to follow the following guidelines around security.

Where security vulnerabilities are involved, it is key to ensure that somebody who discovers a vulnerability in your package can quickly find information on how to report it. As the package author, you know best where to put important information about your software. Bear in mind that many of your users will see your repository’s readme file (usually README.md) first. So make sure to link to your security policy from there.

A file named SECURITY.md in the root of your repository is the recommended place to put your full security policy. It is also worth noting that some vendors (like GitHub) automatically discover and promote SECURITY.md which make the relevant information even easier to find for your users.

Project authors are also encouraged to make use of their source control system security features (for example: GitHub’s “Security Advisories” and GitLab’s “Confidential Issues”) to manage the vulnerabilities and inform their users.

The key requirements are: