diff --git a/docs/Concise-Guide-for-Developing-More-Secure-Software.md b/docs/Concise-Guide-for-Developing-More-Secure-Software.md index 9936f1e4..d3b41a75 100644 --- a/docs/Concise-Guide-for-Developing-More-Secure-Software.md +++ b/docs/Concise-Guide-for-Developing-More-Secure-Software.md @@ -19,7 +19,7 @@ Here is a concise guide for all software developers for secure software developm - [Explicitly disclose security issues affecting vendored dependencies](Vendored-Dependencies-Guide.md). - Create a [security policy](https://github.com/ossf/oss-vulnerability-guide/tree/main/templates/security_policies). Provide contacts. 12. **Make it easy for your users to update**. Implement stable APIs, e.g., support old names when new ones are added. Use semantic versioning. Have a deprecation process. -13. **Sign your project’s important releases**. Use standard tools and signing formats for your distribution. See the [cosign tool](https://docs.sigstore.dev/cosign/overview) from the [sigstore project](https://www.sigstore.dev/) to sign containers and other artifacts. +13. **Sign your project’s important releases**. Use standard tools and signing formats for your distribution. See the [cosign tool](https://docs.sigstore.dev/quickstart/quickstart-cosign/) from the [sigstore project](https://www.sigstore.dev/) to sign containers and other artifacts. 14. [**Earn an OpenSSF Best Practices badge**](https://www.bestpractices.dev/) for your open source project. At least earn “passing”. Plan and roadmap to eventually earn silver & gold. 15. **Improve your** [**OpenSSF Scorecards**](https://github.com/ossf/scorecard) **score (if OSS and on GitHub)**. You can read the [Scorecards checks](https://github.com/ossf/scorecard#scorecard-checks). Use the [Allstar](https://github.com/ossf/allstar) monitor. 16. **Notify the community of vulnerabilities in your project.** Publish security advisories with accurate & precise information, e.g., what usage & versions are vulnerable, mitigations, and fixed version(s). Get a CVE ID. On GitHub, [create your security advisory](https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory#creating-a-security-advisory) & [request a CVE](https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories#cve-identification-numbers).