Skip to content

docs: add security policy and advisory issue template#6

Merged
aseguragonzalez merged 3 commits into
mainfrom
docs/security-policy
May 7, 2026
Merged

docs: add security policy and advisory issue template#6
aseguragonzalez merged 3 commits into
mainfrom
docs/security-policy

Conversation

@aseguragonzalez
Copy link
Copy Markdown
Owner

@aseguragonzalez aseguragonzalez commented May 7, 2026

Summary

  • Adds SECURITY.md following GitHub's recommended security policy format and Google Project Zero's 90-day coordinated disclosure standard. Covers: supported versions, two private reporting channels (GitHub Security Advisories + email), response SLAs, coordinated disclosure steps (GHSA → CVE → CHANGELOG), scope definition, and supply-chain best practices for consumers.
  • Adds .github/ISSUE_TEMPLATE/security_advisory.yml — a public issue template gated behind a prominent warning. Intended only for post-disclosure discussion after a CVE is already published, preventing accidental public exposure of live vulnerabilities.
  • Updates .github/ISSUE_TEMPLATE/config.yml to surface the private Security Advisories link directly in the "New Issue" picker, reducing the friction of responsible disclosure.

Test plan

  • Verify SECURITY.md renders correctly on GitHub and all links resolve.
  • Open a new issue in the repo and confirm the "Security Vulnerability (private)" contact link appears and points to the draft-advisory form.
  • Confirm the security_advisory.yml template appears in the issue picker with the warning banner visible.
  • Enable GitHub's built-in Security Policy feature (Security → Policy) so GitHub links to SECURITY.md automatically.

🤖 Generated with Claude Code

@aseguragonzalez @claude
docs: add security policy and security advisory issue template
6d2650a 
Adds SECURITY.md with responsible disclosure process, supported versions,
coordinated disclosure timeline, and supply-chain guidance for consumers.
Adds a GitHub issue template for post-disclosure public advisories and
updates the issue template config with a private reporting contact link.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 7, 2026 17:24
Copilot AI reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a repository security policy and issue-template wiring to guide responsible vulnerability disclosure and reduce accidental public reporting.

Changes:

  • Introduces SECURITY.md with supported-versions guidance, private reporting channels, and coordinated disclosure expectations.
  • Adds a public “Security Advisory” issue form intended for post-disclosure discussion (after CVE/advisory publication).
  • Updates issue template configuration to surface a private “Security Vulnerability” contact link in the issue picker.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
SECURITY.md Adds a security policy document covering reporting channels, timelines, scope, and consumer guidance.
.github/ISSUE_TEMPLATE/security_advisory.yml Adds an issue form for post-disclosure public discussions of already-published advisories/CVEs.
.github/ISSUE_TEMPLATE/config.yml Adds a private security advisory contact link to the new-issue picker.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/SECURITY.md Outdated
Comment thread .github/SECURITY.md Outdated
Comment on lines +75 to +76
- Verify the PyPI release signature via `sigstore` (signatures are attached to
each GitHub release).
@aseguragonzalez @claude
chore: move community health files to .github/
ffec472 
Relocates SECURITY.md, CONTRIBUTING.md, and CODE_OF_CONDUCT.md from the
repository root to .github/ following the industry-standard layout for
open-source projects. README.md, LICENSE, and CHANGELOG.md remain at root.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@aseguragonzalez
Copy link
Copy Markdown
Owner Author

aseguragonzalez commented May 7, 2026

@copilot apply changes based on the comments in this thread

@aseguragonzalez
docs: adjust security policy wording for accuracy
cbcbd0f 
Agent-Logs-Url: https://github.com/aseguragonzalez/python-seedwork/sessions/2f152160-3527-4e8a-aa0e-9ded5309cac9

Co-authored-by: aseguragonzalez <2671340+aseguragonzalez@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 7, 2026 17:38
@aseguragonzalez aseguragonzalez review requested due to automatic review settings May 7, 2026 17:38
Copy link
Copy Markdown
Contributor

Copilot AI commented May 7, 2026

@copilot apply changes based on the comments in this thread

Implemented in commit cbcbd0f. I updated .github/SECURITY.md to (1) replace < latest with older than latest for reliable Markdown rendering and (2) soften the supply-chain guidance so it no longer implies signatures are currently attached to each release.

@aseguragonzalez aseguragonzalez merged commit 0d20136 into main May 7, 2026
5 checks passed
@aseguragonzalez aseguragonzalez deleted the docs/security-policy branch May 7, 2026 17:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aseguragonzalez