docs: add SECURITY.md #333
Conversation
Add a security policy document, covering supported software versions, vulnerability reporting, disclosure policy, scope, and security guidelines for contributors. Signed-off-by: Lindsay Holmwood <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR adds a comprehensive security policy document (SECURITY.md) to the CipherStash Proxy repository, establishing formal security practices, vulnerability reporting procedures, and contribution guidelines for security-sensitive code.
- Defines supported versions (2.1.x and above) and vulnerability reporting process via [email protected]
- Establishes coordinated responsible disclosure policy with 48-hour acknowledgment SLA
- Provides security guidelines for contributors working with cryptographic code
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| The following are **in scope**: | ||
|
|
||
| - The `cipherstash/proxy` GitHub repository | ||
| - All published Docker images published to [Docker Hub under `cipherstash/proxy`](https://hub.docker.com/r/cipherstash/proxy) |
There was a problem hiding this comment.
Redundant wording: "All published Docker images published to" contains duplicate use of "published". Consider rewording to "All Docker images published to" or "Published Docker images available at".
| - All published Docker images published to [Docker Hub under `cipherstash/proxy`](https://hub.docker.com/r/cipherstash/proxy) | |
| - All Docker images published to [Docker Hub under `cipherstash/proxy`](https://hub.docker.com/r/cipherstash/proxy) |
| ### 🛡 Coding & dependency hygiene | ||
| - Avoid adding dependencies unless necessary | ||
| - Keep dependencies updated and vetted | ||
| - Use TypeScript for all new code |
There was a problem hiding this comment.
Incorrect language requirement: This repository is a Rust project (as evident from Cargo.toml and the Rust packages), but the guideline states "Use TypeScript for all new code". This should be corrected to "Use Rust for all new code" or similar appropriate language.
| - Use TypeScript for all new code | |
| - Use Rust for all new code |
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | 2.1.x | :white_check_mark: | | ||
| | < 2.1 | :x: | |
There was a problem hiding this comment.
Inconsistent table formatting: Line 19 has inconsistent spacing compared to line 18. Consider adding spaces around the version for better alignment: | < 2.1 | :x: |
| | < 2.1 | :x: | | |
| | < 2.1 | :x: | |
|
|
||
| The following are **out of scope**: | ||
|
|
||
| - Example [schema](./docs/sql/schema-example.sql) and [configuration](./cipherstash-proxy-example.toml) (though we are still grateful for any relevant disclosires there) |
There was a problem hiding this comment.
Spelling error: "disclosires" should be "disclosures".
| - Example [schema](./docs/sql/schema-example.sql) and [configuration](./cipherstash-proxy-example.toml) (though we are still grateful for any relevant disclosires there) | |
| - Example [schema](./docs/sql/schema-example.sql) and [configuration](./cipherstash-proxy-example.toml) (though we are still grateful for any relevant disclosures there) |
Add a security policy document, covering supported software versions, vulnerability reporting, disclosure policy, scope, and security guidelines for contributors.
Acknowledgment
By submitting this pull request, I confirm that CipherStash can use, modify, copy, and redistribute this contribution, under the terms of CipherStash's choice.