chore: create security.txt

[daallgeier]

Adding a security.txt file enables security researchers to quickly and easily see where they can submit security issues and know that they are being taken serious. From the proposal website:

"When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”

See also https://securitytxt.org

[vercel]

@daallgeier is attempting to deploy a commit to the Documenso Team Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Important

Auto Review Skipped

Auto reviews are limited to the following labels: coderabbit. Please add one of these labels to enable auto reviews.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository.

To trigger a single review, invoke the @coderabbitai review command.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository from git and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[github-actions]

Hey There! and thank you for opening this pull request! 📝👋🏼

We require pull request titles to follow the Conventional Commits Spec and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "chore/create security.txt". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

[Mythie]

Hey there, it looks like you haven't accepted our contributor license agreement yet. In order for us to accept your pull request we ask that you please fill out the CLA:

https://documen.so/cla

[ElTimuro]

• @daallgeier makes sense
• I like adding a minimal version first
• Should this contain also an email for critical vulnerabilities to ensure time to react? Reporting everything publicly looks not ideal.

[daallgeier]

• great
• it's supposed to be minimal. It's not a policy.
• adding an email address like security@ helps for sure. Would be awesome if GH would have a way to create issues marked as confidential that are only visible to the reporter, any cc'd, and the gh team but for now it shall be an email address.

EDIT: apparently you can enable a beta for Privately Reporting Security issues: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability

Do that by adding another line with contact and either just the address or mailto:security@...

[Mythie]

Should probably be under the public directory in both the marketing and webapp, we can use a script to copy paste it as we've done for pdfjs.

[daallgeier]

I guess that makes sense. I am not sure about (your) mono repo architecture(s).

[Mythie]

All sorted! Thanks Tangerine 🍊

[catalinpit]

is this console log necessary?

[Mythie]

It'll double log since we also echo in the pre-commit but I'd say this is also fine 😄

[catalinpit]

cpSync is in Stage 1 and it says the following on their page Use of the feature is not recommended in production environments.

Should we go ahead and use it?

[ElTimuro]

@Mythie unsure about this. other than that, this is good to go IMO

[Mythie]

It's a script rather than something in production it's fine.

[ElTimuro]

• Created security@documens.com

[Mythie]

It'll double log since we also echo in the pre-commit but I'd say this is also fine 😄