The previous "on this page" statement is wrong more often than not.
Unfortunately there is no "Report a vulnerability" button on
https://github.com/jj-vcs/jj/security/policy, and looking for such a
button from https://github.com/jj-vcs/jj?tab=security-ov-file leads to
confusion.
This is not the end of the world, but I don't see much security downside
to clarifying it (that is, I don't think *not* having a link protects
against phishing in any real way).
We enabled GitHub's private vulnerability reporting a few weeks or
months ago (for CVE-2024-51990), so there's no need to email about
vulnerabilities anymore.
Previously, the link wasn't working from Github's rendered markdown.
Another alternative is to add `malto:` to the link, which would make it work. However, I thought that since the email is the most important piece of information in the entire file, we should just write it out.
I've set up a jj-security@googlegroups.com list. The template comes
from Google's internal web.
I have no experience with GitHub's Security Advisory database, but it
seems like a good practice, so let's use it.
