Skip to main content

Security checklist


One-time activities are marked with ☑️, and the recurrent ones with 🔁.


When utilizing the suggested security tools, please consider using the cheat sheet.

I. Proactive vulnerability discovery

☑️ Create a threat model.
☑️ Choose a suite of security tools to scan your codebase.
☑️ Automate the suite of security tools in local/development environments and CI/CD pipelines, with quality gates.
☑️ Request the integration of your project with OSS-Fuzz.
🔁 Periodically check for vulnerabilities in your dependencies.
🔁 Constantly validate the warnings from your security tooling.
🔁 Keep the threat model updated.

II. Secure users

☑️ Design your software to be secure by default.
☑️ Have security recommendations for users.
☑️ Create SBOMs.

III. Established security reporting process

☑️ Have a standardised, documented process for responding to vulnerabilities.
☑️ Create a security policy with preferred way to contact and report format.
☑️ Find backup security responders.
🔁 Be transparent and verbose with the reported vulnerabilities: mention patching commits, attach security tags to issues, and request CVE IDs.