Skip to content

Add SECURITY.md with a vulnerability disclosure policy #36

Description

@nojibe

Problem

There is no SECURITY.md. The project handles API keys (see .env.template), runs untrusted user-supplied blueprints, and calls out to multiple LLM providers — but there is no documented way to privately report a vulnerability.

Proposed change

Add a root SECURITY.md covering:

  • Supported versions / scope
  • A private reporting channel (GitHub private vulnerability reporting and/or a security email)
  • Expected response/triage timeline
  • Guidance on what not to include in a public issue (secrets, PII, live keys)

Enable GitHub Private Vulnerability Reporting in repo settings so the "Report a vulnerability" button appears.

Acceptance criteria

  • SECURITY.md exists at repo root and is linked from the README
  • A private reporting path is documented
  • Private vulnerability reporting enabled in Settings → Security

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions