Create SECURITY.md for security policy#3
Merged
Merged
Conversation
Add a security policy document outlining supported versions and vulnerability reporting.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a SECURITY.md document to define the project’s security policy (supported versions and vulnerability reporting process).
Changes:
- Introduces
SECURITY.mdwith sections for supported versions and vulnerability reporting.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+5
to
+14
| Use this section to tell people about which versions of your project are | ||
| currently being supported with security updates. | ||
|
|
||
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | 5.1.x | :white_check_mark: | | ||
| | 5.0.x | :x: | | ||
| | 4.0.x | :white_check_mark: | | ||
| | < 4.0 | :x: | | ||
|
|
There was a problem hiding this comment.
The “Supported Versions” section still contains GitHub template placeholder text and a generic version support table (e.g., 5.1.x/5.0.x) that doesn’t appear to match this repo’s actual versioning/release scheme. Please replace this with project-specific supported version(s) (or state that only the latest release/main branch is supported) and remove the placeholder guidance text.
Suggested change
| Use this section to tell people about which versions of your project are | |
| currently being supported with security updates. | |
| | Version | Supported | | |
| | ------- | ------------------ | | |
| | 5.1.x | :white_check_mark: | | |
| | 5.0.x | :x: | | |
| | 4.0.x | :white_check_mark: | | |
| | < 4.0 | :x: | | |
| This project currently supports only the latest version on the `main` branch for security updates. | |
| All older releases and branches are not supported and will not receive security fixes. |
Comment on lines
+17
to
+21
| Use this section to tell people how to report a vulnerability. | ||
|
|
||
| Tell them where to go, how often they can expect to get an update on a | ||
| reported vulnerability, what to expect if the vulnerability is accepted or | ||
| declined, etc. |
There was a problem hiding this comment.
The “Reporting a Vulnerability” section is still template text and doesn’t provide an actionable reporting channel. Please specify where to report (e.g., GitHub Security Advisories / private email), what information to include, and expected response timelines so reporters know how to proceed.
Suggested change
| Use this section to tell people how to report a vulnerability. | |
| Tell them where to go, how often they can expect to get an update on a | |
| reported vulnerability, what to expect if the vulnerability is accepted or | |
| declined, etc. | |
| If you believe you have found a security vulnerability in this project, please | |
| report it privately via a GitHub Security Advisory: | |
| 1. Go to the repository page on GitHub. | |
| 2. Click on the **Security** tab. | |
| 3. Click **Report a vulnerability** and follow the instructions. | |
| When submitting a report, please include as much of the following information | |
| as possible to help us triage and remediate the issue quickly: | |
| - A clear description of the vulnerability and its impact. | |
| - The affected version(s) (see the table above) and any specific configuration | |
| required to reproduce it. | |
| - Step‑by‑step reproduction instructions and, if possible, a minimal proof of | |
| concept (PoC). | |
| - Any logs, stack traces, or screenshots that may be helpful. | |
| - Your assessment of the severity (for example, based on CVSS) if you have one. | |
| **Response and disclosure process** | |
| - We aim to acknowledge receipt of your report within **3 business days**. | |
| - We will provide updates at least every **7 days** while the issue is being | |
| investigated and fixed. | |
| - Once a fix is ready, we will work with you on coordinated disclosure timing. | |
| - Credit will be given in release notes or advisories if you wish, unless you | |
| request to remain anonymous. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a security policy document outlining supported versions and vulnerability reporting.