docs(security): add SECURITY.md disclosure policy#100
Merged
Conversation
Open-source projects with an embedded Snyk badge advertise an intent to handle security carefully; a SECURITY.md formalizes the disclosure path so reporters don't have to guess. Contents: - Supported versions: master-only single-track project. - Reporting channels: GitHub Security Advisories (preferred); Codeberg DM; maintainer email as last resort. NEVER open a public issue. - SLAs: acknowledge within 3 business days, triage within 7, fix high/critical within 30. - Required content for reports: description, repro, affected commit, preferred attribution. - In-scope and out-of-scope lists so casual scans don't generate noise reports. - Disclosure timing: coordinate with the reporter, credit on the changelog entry. GitHub auto-surfaces this file under the repo's Security tab; Codeberg recognizes the same convention. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 task
CryptoJones
added a commit
that referenced
this pull request
May 18, 2026
Contributor onboarding written down. Covers: - Quick-start (clone, env setup, migrations, tests). - Pre-PR checklist: lint, test, audit, OpenAPI updates, CHANGELOG. - Commit-message conventions (conventional-commit prefixes, Co-Authored-By trailers for AI-assisted work). - What gets reviewed: auth scoping, zod input validation, soft- delete defaults, no raw SQL, logger discipline, tests. - What contributors DON'T need (no CLA, no specific IDE, etc.). - Where to start (good-first-issue label, test-file headers as the convention reference, CHANGELOG architectural rationale). Pairs with SECURITY.md (#100) to round out the open-source meta- documentation set. Co-authored-by: Aaron K. Clark <akclark@thenetwerk.net> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
SECURITY.mdso reporters have a clear, documented path to disclose vulnerabilities responsibly:SLAs: acknowledge in 3 business days, triage in 7, fix high/critical in 30.
GitHub auto-surfaces the file under the repo's Security tab; Codeberg picks it up via the same convention.
Test plan
This code proudly made in Nebraska. GO BIG RED! 🌽 https://xkcd.com/2347/