Below is a template of what is expected in a security review. All of the below content can easily be generated using the form on the QuickStart page.
This content must appear at the top of the review file. The name, email, and organization fields are optional, but all other fields are required.
---
Publication-State: [ "Active" | "Removed" ]
Reviewers:
- Name: <Name>
Email: <E-Mail>
Organization: <Organization>
Associated-With-Project: [ true | false ]
Compensation-Source: [ "Project" | "Non-Project" | "External" | "Undisclosed" | "None" ]
Domain: Security
Methodology:
- Static-Analysis
- Code-Review
- Web-Search
- Fuzzing
- External
Issues-Identified: [ "Severe" | "Non-Severe" | "Not-Examined" | "None" ]
Package-URLs:
- <Package URL>
Review-Date 'YYYY-MM-DD'
Scope: [ "Implementation/Full" | "Implementation/Partial" | "Non-Implementation" ]
Schema-Version: '1.0'
SPDX-License-Identifier: CC-BY-4.0
---
Required: Include a summary of the review here. It can be as simple as, "There were no notable findings." This section should be no more than one short paragraph.
Optional: Use this section to describe any findings and to provide additional information. It can be as long as you'd like. If a threat model or assumed context is relevant, feel free to include it here.
Optional: This section describes what was actually done when performing the review.
Optional: If the security review was conducted by a third-party or published at an external location, include a reference to that assessment. You can also reference external URLs for any other purpose.
Required: All security reviews are conducted on a "best-effort" basis against a software component at a point in time. We make no guarantee as to the quality or completeness of any review. If you believe any content is inaccurate, we encourage you to open an issue or submit a pull request with a correction or improvement.
Required: This text is released under at least the Creative Commons Attribution 4.0 (CC-BY-4.0) license. Externally-referenced content may be licensed differently.