Skip to content

SECURITY.md #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Devasy merged 2 commits into from
Sep 29, 2025
Merged

SECURITY.md #169

Devasy merged 2 commits into from
Sep 29, 2025

Conversation

@aryanguptacsvtu
Copy link
Contributor

@aryanguptacsvtu aryanguptacsvtu commented Sep 17, 2025
edited by coderabbitai bot
Loading

Hi @Devasy23 ,
I've added the SECURITY.md file as per the structure suggested in the issue.
Please let me know if any changes are needed.😊

Summary by CodeRabbit

  • Documentation
    • Added a project security policy describing how to report vulnerabilities (email, do not open GitHub issues), required report details, a 72-hour initial response target, coordinated/responsible disclosure guidance (public disclosure after a fix), process for security fixes and releases, acknowledgments, and reference resources.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Sep 17, 2025
edited
Loading

Walkthrough

Adds a new SECURITY.md containing a vulnerability reporting and disclosure policy: email-based reporting (not GitHub issues), required report contents, responsible/coordinated disclosure, supported-release handling, security fixes/releases workflow, acknowledgments, and resources. The document title contains a typo: "Security Polspliticy".

Changes

Cohort / File(s) Summary
Security Policy Documentation
SECURITY.md		 Adds a SECURITY.md defining reporting workflow (email to maintainer, include description/repro/impact/mitigations), responsible disclosure guidelines, coordinated public disclosure after fixes, note on merges into main and supported release branches with release notes, acknowledgments, and references. Title contains a typo ("Security Polspliticy").

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Reporter
  participant Maintainer
  participant Repo as Repository
  participant Release as Release Process

  Note over Reporter,Maintainer: Vulnerability reporting workflow (coordinated disclosure)

  Reporter->>Maintainer: Email vulnerability report (description, repro, impact, mitigations)
  activate Maintainer
  Maintainer-->>Reporter: Acknowledge receipt (target: 72 hours)
  Maintainer->>Maintainer: Triage, verify, assess severity
  Maintainer->>Repo: Prepare fix in private/secure branch
  Repo-->>Maintainer: Fix validated and merged to main/release branches
  Maintainer->>Release: Publish release notes / security advisory
  Release-->>Reporter: Notify on fix availability
  deactivate Maintainer

  Note over Reporter,Release: Public disclosure occurs after fix is released
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

Poem

I twitch my whiskers, read the creed,
A burrow’s rule for urgent need—
Send me mail, not issue noise,
We'll hush the hole and mend the toys.
When fixes bloom, I'll hop and sing. 🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The PR title "SECURITY.md" directly matches the primary change (adding a SECURITY.md file with the project's security policy) so it is related and not misleading; however it is terse and functions only as a filename rather than a descriptive sentence, so it could be clearer about intent.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fa0cdef and 4261a88.

📒 Files selected for processing (1)
  • SECURITY.md (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • SECURITY.md
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: preview

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Devasy
Devasy requested changes Sep 17, 2025
View reviewed changes
coderabbitai[bot]
coderabbitai bot reviewed Sep 17, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (7)
SECURITY.md (7)

1-1: Fix title typo (“Polspliticy” → “Security Policy”).

-# 🔒 Security Polspliticy
+# 🔒 Security Policy

11-15: Clarify supported versions (be explicit).

Vague “Latest/Older” makes backport expectations unclear. Propose explicit policy.

-| Version | Supported          |
-|---------|--------------------|
-| Latest  | ✅ Yes              |
-| Older   | ❌ No               |
+| Version/Branch              | Security fixes |
+|----------------------------|----------------|
+| main (latest)              | ✅ Yes         |
+| Latest minor release (LTS) | ✅ Yes (90 days from release) |
+| Older                       | ❌ No          |
+
+Notes:
+- We backport critical fixes to the latest minor for 90 days after release.
+- After 90 days, only main receives fixes.

31-31: Fix punctuation.

Double period after “72 hours”.

-⌛ We aim to respond to security reports **within 72 hours**..
+⌛ We aim to respond to security reports **within 72 hours**.

35-41: Add Safe Harbor language for good‑faith research.

Protect researchers acting within bounds to reduce legal ambiguity.

 ## 🚫 Responsible Disclosure Guidelines
@@
 - Do not publicly disclose the issue until it has been resolved.
 - Avoid testing vulnerabilities in a way that could disrupt services.
 - Act in good faith and with respect for user data and privacy.
+
+### Safe Harbor
+If you make a good‑faith effort to comply with this policy, we will not pursue or support legal action against you for your research. This includes:
+- Testing only on your own accounts/data (no data exfiltration).
+- No privacy violations, service degradation, or denial of service.
+- Ceasing testing and notifying us immediately upon accessing sensitive data.

46-48: Define disclosure timelines.

State when details can be published if no fix ships.

 - We follow a **coordinated disclosure** approach.
 - We appreciate responsible reporting and will publicly disclose the issue only **after a fix has been released**.
+- If a fix is not available within 90 days of triage (or an agreed extension), you may disclose limited technical details sufficient to protect users.

50-53: Mention CVE/GHSA handling and severity/triage targets.

Improves expectations for reporters and users.

 Security fixes will be merged into `main` and any supported release branches. We will publish release notes describing the fix and migration steps when required.
+
+### Triage & Severity
+- We classify reports using CVSS and prioritize P0 (critical) through P3 (low).
+- Initial triage target: 72h. Status updates at least weekly until resolved.
+
+### CVE/GHSA
+- We disclose via GitHub Security Advisories (GHSA) and request CVE IDs when applicable.

62-66: Optionally add PGP key and link to reporting entry point.

Provide encryption for sensitive reports and a direct pointer to the Security tab.

 ## 🔒 Resources
@@
 - [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+ - PGP public key for [email protected]: (fingerprint and key block here)
+ - How to report a vulnerability on GitHub (Private Reporting): Security tab → “Report a vulnerability”

Replace placeholders before merge.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 790c7bf and fa0cdef.

📒 Files selected for processing (1)
  • SECURITY.md (1 hunks)

@aryanguptacsvtu
Copy link
Contributor Author

aryanguptacsvtu commented Sep 17, 2025

Hi @Devasy23 ,
I've updated the SECURITY.md file as per your requirements.
I think it can be now merged cleanly...😊😊

@Devasy Devasy merged commit 262ee11 into Devasy:main Sep 29, 2025
31 checks passed
@aryanguptacsvtu
Copy link
Contributor Author

aryanguptacsvtu commented Oct 1, 2025

Hii @Devasy23 , Could you please add gssoc25 label to the PR.😊😊
Otherwise, my PR will not be counted.😥

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@Devasy Devasy Devasy approved these changes

@vrajpatelll vrajpatelll Awaiting requested review from vrajpatelll vrajpatelll is a code owner

Assignees

@aryanguptacsvtu aryanguptacsvtu

Labels

gssoc25 level1 level-1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aryanguptacsvtu @Devasy