Unifiy the security.md in a single org

[UlisesGascon]

Currently we have identical information in the tree orgs:

• https://github.com/expressjs/.github/blob/master/SECURITY.md
• https://github.com/pillarjs/.github/blob/master/SECURITY.md
• https://github.com/jshttp/.github/blob/master/SECURITY.md

Ideally we can have only one (https://github.com/expressjs/.github/blob/master/SECURITY.md) and overwrite the other policies to point to the policy in Express.

I will work on it

[bjohansebas]

What if we create an automation to ensure that the .github repositories have the same files?

[UlisesGascon]

What if we create an automation to ensure that the .github repositories have the same files?

I already created the PRs (pillarjs/.github#3 and jshttp/.github#4) but if we prefer the automation I can work on that (cc: @expressjs/security-wg)

[wesleytodd]

There is automation around which does this kind of thing, like npm's template-oss, but honestly I am not sure this is worth spending time on. There are not that many files, and we may have good reasons to differentiate things in some of these files across the orgs. I think we should just copy them and see when the next time someone touches them all at once before we work on automation.

[UlisesGascon]

I'll keep this open in case we need to take action based on this comment: expressjs/.github#15 (comment).

Otherwise, we can close this in two weeks to allow time for the score to update organically.