The OpenINF SDK team, now benefitting from dual Maintainership, takes the security of OpenINF and the applications created with its SDK seriously. This page describes how to report any vulnerabilities you may find and lists best practices to minimize the risk of introducing or being affected by a vulnerability.

In the rare event that you find a vulnerability in the OpenINF SDK itself, email us. We hope to regularly work with the cybersecurity community and the brilliant researchers in the field to arrive at positive outcomes for all parties involved. An alternative to email for reporting should be available shortly for those uncomfortable with that medium. Anonymous reports will also gladly be accepted. We also hope to introduce a healthy manner of incentivizing reporting in the near term.

• Keep current with the latest OpenINF SDK releases. We regularly update the various packages that the OpenINF SDK is composed of, and these updates may fix security defects discovered in earlier versions. Regularly review changelogs associated with the different OpenINF SDK package releases for security-related updates. Be sure to make the upgrades quickly once release notes are published, as they will contain information relevant to potential vulnerabilities. We hope to accompany these notices with detailed instructions explaining how any exploits could have been taken advantage of by malicious actor(s). This practice is to keep package consumers informed whether they may or may not have been affected and to ensure folks can make educated decisions relating to any potential remediation activities that may be necessary.

• Keep your project's dependencies up to date. Make sure you upgrade your package dependencies to keep the dependencies up to date. Avoid pinning to specific versions for your dependencies. If you do, check periodically to see if your dependencies have had security updates and update the pin accordingly. Doing this manually, however, can become tedious. It is advisable to use an automated dependency update tool that fits into your workflows, such as Mend Renovate (also known as Renovatebot), which we are thankful to have as one of our organization's trusted partners in automated dependency management.² We hope you, dearest reader, will soon join us in our journey to maintain our secure software ecosystems.