As of today, we are requiring all members of Ember GitHub organizations to have two-factor authentication (2FA) enabled.
The following are the relevant organizations:
Only members of these organizations--those with potential write access--are required to have 2FA enabled. It is NOT required to open an issue, make a PR, or otherwise interact with the organizations on GitHub. However, we strongly recommend enabling 2FA, especially for any account with write access to public repos.
When we enabled this requirement any members without 2FA enabled were automatically removed from the above organizations. If you were removed from one of those organizations today, please enable 2FA and contact
katie in the community slack or your favorite organization admin to be re-invited.
We have formalized this policy after self-auditing our security policies in the wake of yesterday's npm incident. Because developers trust Ember.js to handle sensitive customer data in production, we take the security of the project extremely seriously. The Ember project maintains a clearly outlined security policy.
If you discover what you believe may be a security issue in Ember.js, we ask that you follow our responsible disclosure policy.
If you are using Ember.js in production, please consider subscribing to our security announcements mailing list. It is extremely low-traffic and only contains high-priority security announcements.