Skip to content

Refactor security policy into two-tier structure#1467

Merged
omroy07 merged 2 commits intoomroy07:mainfrom
Nitya-003:main
Feb 11, 2026
Merged

Refactor security policy into two-tier structure#1467
omroy07 merged 2 commits intoomroy07:mainfrom
Nitya-003:main

Conversation

@Nitya-003
Copy link
Contributor

@Nitya-003 Nitya-003 commented Feb 11, 2026

Which issue does this PR close?

Rationale for this change

The previous SECURITY.md was overly dense (300+ lines), blending high-level reporting policies with low-level code implementation details. This created two major issues:

  1. Critical Friction: Security researchers had to scroll extensively to find reporting instructions, which could lead to public disclosure instead of private reporting.
  2. User Confusion: Including "Before Fix" code snippets in the root security file risked users accidentally implementing vulnerable patterns by skimming the document.
    By moving to a "Two-Tier" structure, we ensure the project remains "Production-Ready" and accessible for SWOC'26 contributors.

What changes are included in this PR?

  1. Streamlined SECURITY.md:
    • Refactored into a concise, 1-page guide.
    • Added Safe Harbor language to protect ethical researchers.
    • Implemented a structured Vulnerability Report Template.
  2. Created docs/SECURITY_IMPLEMENTATION.md:
    • Relocated all technical deep-dives (SQLi/XSS/File Upload "Before vs After" examples) to this file.
    • Preserved the "Security Hall of Fame" and testing payloads for developer reference.
  3. Visual Improvements: Used GitHub-native alert blocks (> [!IMPORTANT]) to highlight the private disclosure requirement.

Are these changes tested?

Documentation-only changes. I have verified:
* All internal links between SECURITY.md and docs/SECURITY_IMPLEMENTATION.md are functional.
* Mermaid diagrams and Markdown formatting render correctly in GitHub preview.

Are there any user-facing changes?

Yes. Users looking for the technical security breakdown will now find it in the docs/ folder instead of the root SECURITY.md. The root file now serves exclusively as a security policy and reporting guide.

SWOC'26

@vercel
Copy link

vercel bot commented Feb 11, 2026

@Nitya-003 is attempting to deploy a commit to the Om Roy's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions
Copy link

github-actions bot commented Feb 11, 2026

Thanks for creating a PR for your Issue! ☺️

We'll review it as soon as possible.
In the meantime, please double-check the file changes and ensure that all commits are accurate.

If there are any unresolved review comments, feel free to resolve them. 🙌🏼

@omroy07 omroy07 merged commit 0a60249 into omroy07:main Feb 11, 2026
2 of 6 checks passed
@github-actions
Copy link

github-actions bot commented Feb 11, 2026

🎉 Congrats @Nitya-003 on getting your PR merged! 🙌
Thanks for the contribution — looking forward to more from you 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Nitya-003 Nitya-003

Labels

Medium SWoC26

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Refactor SECURITY.md for better readability and actionable reporting

2 participants

@Nitya-003 @omroy07