Security Best Practices
This document is a placeholder. Some topics we will want to remember to cover:
- Signed releases
- Specify GHA actions and dependency checkouts by SHA commit, not version
- See testing best practices for: static analysis, dynamic analysis, fuzzing
- Setting up a security policy
- How to respond to security reports
- CVEs
- Security audits and how to interact with those teams