We are pleased to announce that Caddy was nominated and selected to participate in the GitHub Secure Open Source Program this summer:
Over the course of several weeks, we (some Caddy maintainers) underwent several days of training and completed workshops related to various aspects of open source security. Some of the topics included security advisories, community safety/security, supply chain verification, securing GH actions, threat modeling, fuzzing, relevant tooling, and risks stemming from AI/LLMs.
Some of the effects have already been implemented, such as utilizing code scanning, private vulnerability reporting, improved Dependabot configuration, and protecting branches.
In the near-future we will be completing an Incident Response Plan (IRP) for handling security events in a well-defined manner, as well as passing along our training to other maintainers and hopefully the rest of the community as time allows. We’re excited for the net improvement to our ecosystem!
We want to thank those who considered Caddy important enough to nominate. We learned a lot from this program. And a special thank you to the partners of the program who enabled the funding, as it has been extremely helpful for our project, ultimately benefiting millions of Internet users.