Skip to content

docs(security): add SECURITY.md vulnerability disclosure policy#12

Merged
adamy merged 1 commit into
mainfrom
feat-security-policy
Jun 10, 2026
Merged

docs(security): add SECURITY.md vulnerability disclosure policy#12
adamy merged 1 commit into
mainfrom
feat-security-policy

Conversation

@adamy

@adamy adamy commented Jun 10, 2026

Copy link
Copy Markdown
Owner

Adds a vulnerability disclosure policy (SECURITY.md), shown by GitHub on the repo's Security tab.

Policy highlights

  • Private reporting: GitHub Security Advisories (private vulnerability reporting now enabled on the repo) or the Object IT contact form — no public issues for vulnerabilities.
  • Response targets: acknowledge within 3 business days, initial assessment within 14 days; fix timeline by severity.
  • Scope: the three NuGet packages + embedded widget, explicitly including DoS vulnerabilities in BotWire code (ReDoS in PII/prompt-injection guards, rate-limiter bypass).
  • Out of scope: third-party deps (tracked via Dependabot), samples-only issues (unless they demonstrate an insecure recommended pattern), volumetric DoS against hosting services.
  • AI-specific section: guards are best-effort; deployer responsibilities; guard bypasses are reportable.

Repo settings enabled alongside (not in this diff)

  • Dependabot vulnerability alerts
  • Dependabot security updates (auto-PRs for vulnerable deps)
  • Private vulnerability reporting

🤖 Generated with Claude Code

- Private reporting via GitHub Security Advisories + Object IT contact form
- Scope: NuGet packages, widget, DoS vulns in BotWire code (ReDoS, rate-limiter bypass)
- Out of scope: third-party deps, samples-only issues, volumetric DoS
- Coordinated disclosure; fixes ship as NuGet patch releases with advisories

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@adamy adamy merged commit 47195bb into main Jun 10, 2026
@adamy adamy deleted the feat-security-policy branch June 10, 2026 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant