Aligning Projects with Minimum Security Reporting Guidelines

[UlisesGascon]

I was reviewing the OpenJS Foundation Security Reporting Guidelines, and it appears that having a SECURITY.md file is the minimum recommended standard. However, I've noticed that some projects are not yet aligned with this requirement:

I will provide an exhaustive list soon

Additionally, I’d like to propose a discussion around whether we should incorporate further security-related requirements based on practices we've found effective in the past.

[ctcpip]

notes from today's sec mtg:

• sec group produced a minimal template for projects to use/adapt
• Chris: but this template doesn't seem very minimal to me
  • we should create a very minimal / bare-bones template for folks to use, which would be much better than nothing
    • maintainers can start with this if they do not want to adopt the more comprehensive templates
  • also recommend projects enable GH PVR feature if they don't already use another reporting mechanism (e.g. HackerOne, etc)