The pypa Github org repositories don’t always have a SECURITY.md which makes it easy for users to understand how security is handled.
For example I glanced at Security Overview · pypa/build · GitHub (image below)
Github has a feature to populate this tab automatically across all repos by creating a repo called .github with a SECURITY.md in it. GitHub - nodeca/.github is an example.
I don’t think the security policies of all the PyPA projects are the same (and the PyPA has no authority to dictate a standard security policy on them), so that wouldn’t work.
Maybe all the projects could agree on a standard approach tho? I understand that it’s difficult to get consensus but if nothing else maybe some boilerplate explaining what you said could be helpful.
I wouldn’t be surprised if the security tab content is overriden by any projects which have their own SECURITY.md altho I haven’t tested that.
Possibly, but why not just leave projects to have their own file? If they have the time (and inclination) to discuss and agree on a common policy, they could just as easily use that time to publish their own policy.
I think there’s actually some nuance here around whether PyPA has the authority to do this. From PEP 609, one of the PyPA’s formative goals is:
The PyPA should, as much as possible, strive for standardization and coordination across PyPA projects, primarily though the governance process outlined below. PyPA projects are expected to abide by applicable specifications maintained by the PyPA.
If I understand this correctly, this means that PyPA could in principle pursue action here: a current PyPA member could call a vote to update the governance itself to include enforcement of a blanket security policy, similar to the current goal of org-wide code-of-conduct enforcement.
If there’s interest in that, then I think the sensible thing there would be to write the PyPA-wide security policy to be as generic as possible. That way, individual projects could always override it with their own project-specific policies, as many currently do. The super generic thing to do would probably just be to declare a security contact (the PSRT email, perhaps?)
(Note: I don’t actually have a strong opinion about whether PyPA should provide an org-wide SECURITY.md, at least not yet 
. I think I agree with Paul about it probably being a better use of each project’s time to just write their own separate policy given how devolved PyPA is in practice. But I couldn’t help lawyering!)
