docs: add SECURITY.md security policy documentation

[SriHarshitha137]

Related Issue

• Closes: 🚀 Feature: Add SECURITY.md Security Policy Documentation #369

---

Description

Added a dedicated SECURITY.md file to improve the repository's security documentation standards and provide clear guidance for responsible vulnerability disclosure.

Changes Made

• Added a professionally structured SECURITY.md
• Included supported version information
• Added vulnerability reporting guidelines
• Defined responsible disclosure workflow
• Added contributor security best practices
• Included dependency security recommendations using npm audit
• Maintained markdown consistency with existing repository documentation

---

How Has This Been Tested?

• Verified markdown formatting and readability
• Checked consistency with GitHub security policy conventions
• Confirmed documentation structure aligns with repository standards

---

Type of Change

• Bug fix
• New feature
• Code style update
• Breaking change
• Documentation update

Summary by CodeRabbit

• Documentation
  • Added a security policy documenting supported versions receiving updates, how to report vulnerabilities (including responsible disclosure guidance and expected follow-up), what information to include, contributor security best practices, dependency auditing recommendations, and acknowledgements — improving transparency and guidance around reporting and managing security issues.

[netlify]

✅ Deploy Preview for github-spy ready!

Name	Link
🔨 Latest commit	be3a0db
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a146a04285ed90008239a83
😎 Deploy Preview	https://deploy-preview-509--github-spy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9c4c9671-d5af-476a-b43c-a2787bde5213

📥 Commits

Reviewing files that changed from the base of the PR and between 1da2e75 and be3a0db.

📒 Files selected for processing (1)

• SECURITY.md

✅ Files skipped from review due to trivial changes (1)

• SECURITY.md

---

📝 Walkthrough

Walkthrough

Adds a new SECURITY.md documenting GitHub Tracker’s security policy: supported versions, how to report vulnerabilities responsibly, what to include in reports, disclosure expectations, contributor security guidance, dependency audit commands, and acknowledgements.

Changes

Security Policy Documentation

Layer / File(s)	Summary
Security policy document SECURITY.md	New file documenting supported versions, vulnerability reporting steps and "do not" guidance, disclosure expectations and timelines, contributor security best practices, dependency auditing (npm audit / npm audit fix), and acknowledgements.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I scribble a shield in markdown bright,
A safe path for problems found at night,
Tell me the steps, the versions, what to say,
I guard reports and guide the right relay,
Hoppity—SECURITY stands watchful, light.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'docs: add SECURITY.md security policy documentation' accurately summarizes the main change, clearly indicating a documentation addition of a security policy file.
Description check	✅ Passed	The PR description follows the template structure with all required sections: Related Issue, Description, Changes Made, Testing, and Type of Change checkbox marked appropriately.
Linked Issues check	✅ Passed	The PR addresses all requirements from issue #369: SECURITY.md file creation, vulnerability reporting guidelines, supported version info, disclosure workflow, contributor security best practices, dependency security recommendations, and markdown consistency.
Out of Scope Changes check	✅ Passed	The pull request contains only changes directly related to issue #369 - a single SECURITY.md documentation file with no unrelated or extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[SriHarshitha137]

Hello @GitMetricsLab 👋

I have added a dedicated SECURITY.md file containing:

• Responsible vulnerability disclosure guidelines
• Supported version information
• Security reporting workflow
• Contributor security best practices
• Dependency security recommendations

This improves the repository’s security documentation and aligns it with GitHub security policy conventions.

Kindly review the PR. Thank you! 🚀

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

SECURITY.md (1)

13-16: ⚡ Quick win

Make supported versions explicit by release range/tag.

“Latest main branch” is ambiguous for consumers on published releases. Prefer concrete version lines (for example v2.x, v1.8+) with support status.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 13 - 16, Update SECURITY.md to replace the
ambiguous "Latest `main` branch" row with explicit release tags or ranges (e.g.,
"v2.x", "v1.8+", or specific semver ranges) and add corresponding support status
entries; edit the table header rows (the lines containing "Latest `main` branch"
and "Older versions") so they list concrete release identifiers and their
support status, and include a short note explaining the support policy
(supported range, EOL criteria) for future clarity.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 6-7: Insert a single blank line immediately before the thematic
break `---` in SECURITY.md so the `---` line is not parsed as a setext-style
heading underline by markdownlint (MD003); locate the `---` line and add one
empty line above it to satisfy the linter.
- Around line 36-40: The security contact paragraph currently lists generic
reporting methods but lacks a definitive private contact; update the security
contact section to include a concrete private endpoint (e.g., a dedicated
security email address like security@your-org.com and/or the repository's
private security advisory URL), optional PGP key or Keybase handle for encrypted
reports, and a brief expected response timeframe so reporters know where and how
to submit sensitive vulnerability information securely.

---

Nitpick comments:
In `@SECURITY.md`:
- Around line 13-16: Update SECURITY.md to replace the ambiguous "Latest `main`
branch" row with explicit release tags or ranges (e.g., "v2.x", "v1.8+", or
specific semver ranges) and add corresponding support status entries; edit the
table header rows (the lines containing "Latest `main` branch" and "Older
versions") so they list concrete release identifiers and their support status,
and include a short note explaining the support policy (supported range, EOL
criteria) for future clarity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 58a3bae5-a4bc-48a6-9a4b-5e19df6eaef1

📥 Commits

Reviewing files that changed from the base of the PR and between 6c6bc3e and 1da2e75.

📒 Files selected for processing (1)

• SECURITY.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Provide a concrete private security contact path.

The policy says “contact maintainers directly via GitHub,” but does not specify a definitive private endpoint (security email, SECURITY advisory URL, or contact form). This can delay reports or cause accidental public disclosure.

Suggested doc update

 Please report vulnerabilities by contacting the maintainers through one of the following methods:
 
 - Open a private security advisory (if enabled)
-- Contact the repository maintainers directly via GitHub
+- Email: security@<your-domain>
+- Private advisory: https://github.com/<org>/<repo>/security/advisories/new
 - Provide detailed reproduction steps and supporting information

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Please report vulnerabilities by contacting the maintainers through one of the following methods:
	- Open a private security advisory (if enabled)
	- Contact the repository maintainers directly via GitHub
	- Provide detailed reproduction steps and supporting information
	Please report vulnerabilities by contacting the maintainers through one of the following methods:
	- Open a private security advisory (if enabled)
	- Email: security@<your-domain>
	- Private advisory: https://github.com/<org>/<repo>/security/advisories/new
	- Provide detailed reproduction steps and supporting information

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 36 - 40, The security contact paragraph currently
lists generic reporting methods but lacks a definitive private contact; update
the security contact section to include a concrete private endpoint (e.g., a
dedicated security email address like security@your-org.com and/or the
repository's private security advisory URL), optional PGP key or Keybase handle
for encrypted reports, and a brief expected response timeframe so reporters know
where and how to submit sensitive vulnerability information securely.

[SriHarshitha137]

Addressed the suggested changes. Thanks!

[github-actions]

🎉🎉 Thank you for your contribution! Your PR #509 has been merged! 🎉🎉