docs: add SECURITY.md with private disclosure policy#98
Open
Pazificateur69 wants to merge 1 commit into
Open
Conversation
Adds a minimal SECURITY.md so that researchers have a clear, non-public channel for reporting vulnerabilities. Uses GitHub's built-in Private Vulnerability Reporting feature, leaving any preferred email or PGP key to be added by maintainers as needed. Industry-standard 90-day disclosure window mentioned as a default, extendable at maintainers' discretion.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
While reading the zenith contracts I noticed there is no
SECURITY.mdat the repo root and no
.github/SECURITY.md. Without a clear,linkable disclosure policy, well-intentioned researchers may either
open public issues (bad) or have no obvious channel to use at all.
What
Adds a minimal
SECURITY.mdthat:Reporting
feature (no third-party emails hard-coded — leaves contact details
to maintainers, who can add a security email or PGP key on top of
this template if preferred).
maintainers' discretion.
src/in;lib/andtest/out).Notes
init4tech org already uses elsewhere — I just couldn't find a
template in
.github/or in the org-wide.githubrepo.this PR; no offense taken.