With the recent Travis CI security issue, it's again become necessary for Mozilla security folks to need to be able to contact maintainers of our GitHub repos (in this case to coordinate rotation of leaked credentials).
I wanted to see if we (GitHub owners) could come up with a standard (either an existing one or make one) for how people can assert and communicate their role as a maintainer of a given GitHub repo.
I don't know if an email thread is the best channel, but I thought I'd start this and we could switch to a zoom call if folks want.
Here are some potential solutions that have come to mind
This standard ( https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository ) is so repo maintainers can assert how to report security vulnerabilities.
- It's public so maintainers might be reluctant to put email addresses in there