Skip to content

docs: consolidate security policy to canonical website URL#10559

Merged
dgarske merged 3 commits into
wolfSSL:masterfrom
MarkAtwood:security-policy-canonical-pointer
Jul 10, 2026
Merged

docs: consolidate security policy to canonical website URL#10559
dgarske merged 3 commits into
wolfSSL:masterfrom
MarkAtwood:security-policy-canonical-pointer

Conversation

@MarkAtwood

@MarkAtwood MarkAtwood commented May 29, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replace the inline security policy with a thin pointer to the canonical
    coordinated vulnerability disclosure policy at
    https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt
  • Keep PGP key fingerprint, contact info, and report template reference
    in .github/SECURITY.md (what GitHub shows on the Security tab)
  • Delete SECURITY-POLICY.md (now redundant — canonical policy lives on
    the website)
  • Contact email is secure@wolfssl.com, consistent with the canonical
    policy and Chris Conlon's note (2026-06-01) that secure@ is the
    existing alias for inbound security reports

The website policy is the single source of truth, maintained for CRA
compliance. The report template (SECURITY-REPORT-TEMPLATE.md) is
unchanged.

Copilot AI review requested due to automatic review settings May 29, 2026 17:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates the repository’s coordinated vulnerability disclosure policy by removing the redundant in-repo policy document and pointing GitHub’s Security tab content to the canonical policy hosted on wolfssl.com.

Changes:

  • Delete SECURITY-POLICY.md (policy content no longer duplicated in-repo).
  • Update .github/SECURITY.md to include contact + PGP fingerprint and link to the canonical vulnerability disclosure policy URL.
  • Keep the vulnerability report template reference and CVE-submission direction via SECURITY-REPORT-TEMPLATE.md.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
SECURITY-POLICY.md Removes the duplicated in-repo security policy document.
.github/SECURITY.md Updates GitHub Security tab guidance to point to the canonical website policy and retains reporting details (contact, PGP fingerprint, template link).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/SECURITY.md Outdated
@MarkAtwood MarkAtwood requested a review from cconlon May 29, 2026 17:57
@github-actions

github-actions Bot commented May 29, 2026

Copy link
Copy Markdown

MemBrowse Memory Report

gcc-arm-cortex-m0plus

  • FLASH: .text +680 B (+1.1%, 64,155 B / 262,144 B, total: 24% used)

gcc-arm-cortex-m3

  • FLASH: .text +1,224 B (+1.0%, 122,481 B / 262,144 B, total: 47% used)

gcc-arm-cortex-m4

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .rodata.wolfSSL_ERR_reason_error_string.str1.1 +88 B, .text +1,472 B (+0.8%, 200,320 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m4-baremetal

  • FLASH: .text +768 B (+1.2%, 66,827 B / 262,144 B, total: 25% used)

gcc-arm-cortex-m4-crypto-only

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .text +960 B (+0.6%, 174,568 B / 262,144 B, total: 67% used)

gcc-arm-cortex-m4-dtls13

  • FLASH: .text +1,344 B (+0.7%, 180,888 B / 1,048,576 B, total: 17% used)

gcc-arm-cortex-m4-min-ecc

  • FLASH: .text +704 B (+1.2%, 61,741 B / 262,144 B, total: 24% used)

gcc-arm-cortex-m4-openssl-compat

  • FLASH: .rodata +480 B, .text +4,416 B (+0.6%, 771,148 B / 1,048,576 B, total: 74% used)

gcc-arm-cortex-m4-pkcs7

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .text +1,536 B (+0.8%, 212,588 B / 262,144 B, total: 81% used)

gcc-arm-cortex-m4-pq

  • FLASH: .rodata +140 B, .text +2,112 B (+0.8%, 279,396 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m4-rsa-only

  • FLASH: .rodata +136 B, .text +2,240 B (+0.7%, 324,992 B / 1,048,576 B, total: 31% used)

gcc-arm-cortex-m4-sp-math

  • FLASH: .text +704 B (+1.2%, 61,741 B / 262,144 B, total: 24% used)

gcc-arm-cortex-m4-tls12

  • FLASH: .text +1,216 B (+1.0%, 123,213 B / 262,144 B, total: 47% used)

gcc-arm-cortex-m4-tls13

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .rodata.wolfSSL_ERR_reason_error_string.str1.1 +88 B, .text +1,472 B (+0.7%, 236,082 B / 262,144 B, total: 90% used)

gcc-arm-cortex-m7

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .rodata.wolfSSL_ERR_reason_error_string.str1.1 +88 B, .text +1,472 B (+0.8%, 200,320 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m7-pq

  • FLASH: .rodata +140 B, .text +2,048 B (+0.8%, 279,972 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m7-tls13

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .rodata.wolfSSL_ERR_reason_error_string.str1.1 +88 B, .text +1,536 B (+0.7%, 236,146 B / 262,144 B, total: 90% used)

linuxkm-pie

  • Data: __patchable_function_entries +1,344 B (+5.6%, 25,552 B)

linuxkm-standard

  • Data: __patchable_function_entries +2,296 B (+5.0%, 48,216 B)

stm32-sim-stm32h753

  • FLASH: .text +1,968 B (+1.1%, 183,460 B / 2,097,152 B, total: 9% used)

Replace inline SECURITY-POLICY.md with a thin pointer in
.github/SECURITY.md to the canonical policy at
wolfssl.com/.well-known/vulnerability-disclosure-policy.txt.

Keeps PGP key, contact info, and report template reference.
Removes SECURITY-POLICY.md (now redundant).
Per Chris Conlon, secure@ is the existing alias for inbound security
reports. support@ is the general support inbox.

Aligns with the canonical /.well-known/security.txt and
vulnerability-disclosure-policy.txt.
@MarkAtwood MarkAtwood force-pushed the security-policy-canonical-pointer branch from 8cde47d to fe70129 Compare June 9, 2026 15:23
Comment thread SECURITY-POLICY.md
Comment thread .github/SECURITY.md Outdated
Comment thread .github/SECURITY.md Outdated
Comment thread SECURITY-POLICY.md
@dgarske dgarske removed the request for review from cconlon June 10, 2026 17:36
Address review feedback (dgarske):

- Restore SECURITY-POLICY.md instead of deleting it. The full policy
  (severity rubric, scope, coordinated disclosure, credit) stays in-repo;
  the canonical website URL is now presented as a mirror of it, not a
  replacement, so other repos can still reference one copy.
- SECURITY.md: prefer support@wolfssl.com, offer secure@wolfssl.com with
  the PGP key as an option, and drop the phone number.
- Restore the mandatory report-template requirement and the "keep the
  vulnerability private until a fix is released" guidance, resolving the
  contradiction between the intro and the template section.
@dgarske dgarske assigned danielinux and unassigned MarkAtwood Jul 10, 2026
@dgarske dgarske requested a review from danielinux July 10, 2026 14:55
@danielinux

Copy link
Copy Markdown
Member

Jenkins retest this please

@danielinux danielinux left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes are OK (although the description of the PR does not match)

@danielinux

Copy link
Copy Markdown
Member

@MarkAtwood please rebase so it can be merged

@dgarske dgarske merged commit 0913436 into wolfSSL:master Jul 10, 2026
315 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants