Skip to content

Create SECURITY.md #188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create SECURITY.md #188

wants to merge 1 commit into from

Conversation

sisodiabhumca
Copy link

@sisodiabhumca sisodiabhumca commented Aug 27, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Documentation
    • Added a Security Policy document outlining how to report vulnerabilities and what to expect during the process.
    • Includes a Supported Versions section with a clear matrix indicating which versions receive security updates.
    • Provides guidance on communication channels, response timelines, and update expectations for reported issues.

@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 27, 2025
edited
Loading

Walkthrough

Adds a new SECURITY.md with a security policy detailing supported versions and vulnerability reporting procedures.

Changes

Cohort / File(s) Summary of Changes
Security Policy Docs
SECURITY.md		 Added security policy document with Supported Versions table and Reporting a Vulnerability instructions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

I thump with joy, my paws approve—
A shield of text, our safety groove.
Versions tallied, risks in sight,
Report the holes, patch them tight.
Carrot raised to policies clear—
Securely we hop, with no more fear. 🥕✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed Aug 27, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
SECURITY.md (1)

1-3: Consider relocating to .github/SECURITY.md for GitHub’s native surfacing.

GitHub also recognizes SECURITY.md at repo root, but placing it under .github/ helps standardize across repos.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2186b84 and 94e9656.

📒 Files selected for processing (1)
  • SECURITY.md (1 hunks)
🧰 Additional context used
🪛 LanguageTool
SECURITY.md

[grammar] ~5-~5: There might be a mistake here.
Context: ...about which versions of your project are currently being supported with security ...

(QB_NEW_EN)

[grammar] ~8-~8: There might be a mistake here.
Context: ...dates. | Version | Supported | | ------- | ------------------ | | 5.1.x...

(QB_NEW_EN)

[grammar] ~9-~9: There might be a mistake here.
Context: ... | | ------- | ------------------ | | 5.1.x | ✅ | | 5.0.x...

(QB_NEW_EN)

[grammar] ~10-~10: There might be a mistake here.
Context: ...----- | | 5.1.x | ✅ | | 5.0.x | ❌ | | 4.0.x...

(QB_NEW_EN)

[grammar] ~11-~11: There might be a mistake here.
Context: ...mark: | | 5.0.x | ❌ | | 4.0.x | ✅ | | < 4.0...

(QB_NEW_EN)

[grammar] ~12-~12: There might be a mistake here.
Context: ... | | 4.0.x | ✅ | | < 4.0 | ❌ | ## Rep...

(QB_NEW_EN)

🔇 Additional comments (1)
SECURITY.md (1)

8-13: The script above will list all tags in the repository so we can verify if semver tags exist. Please share the output to determine the correct values for the Supported Versions table.

SECURITY.md
Comment on lines +5 to +7
Use this section to tell people about which versions of your project are
currently being supported with security updates.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Replace placeholder guidance with a clear policy statement.

Current wording reads like a template. Make it explicit which releases get fixes.

-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
+We provide security fixes only for the release lines listed below. Versions not listed are end‑of‑life and do not receive security updates.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Use this section to tell people about which versions of your project are
currently being supported with security updates.
We provide security fixes only for the release lines listed below. Versions not listed are end-of-life and do not receive security updates.
🧰 Tools
🪛 LanguageTool

[grammar] ~5-~5: There might be a mistake here.
Context: ...about which versions of your project are currently being supported with security ...

(QB_NEW_EN)

🤖 Prompt for AI Agents 
In SECURITY.md around lines 5 to 7, the current text is a placeholder template;
replace it with a concrete security maintenance policy specifying which release
lines receive security fixes (e.g., "We provide security fixes for the current
major release and the previous minor release for 12 months after their initial
release; critical/severe issues may receive extended support"), include how long
fixes are provided, which versions are supported (exact semantic versions or
branches), and where to report vulnerabilities; update the wording to a
definitive, actionable statement rather than a template sentence.

SECURITY.md
Comment on lines +15 to +21
## Reporting a Vulnerability

Use this section to tell people how to report a vulnerability.

Tell them where to go, how often they can expect to get an update on a
reported vulnerability, what to expect if the vulnerability is accepted or
declined, etc.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Provide concrete, private reporting instructions, SLAs, and safe‑harbor.

Reporting guidance is still template text. Add a private channel (GitHub security advisory and/or email), acknowledgement/fix timelines, what info to include, disclosure policy, and legal safe‑harbor. This materially improves researcher experience.

-## Reporting a Vulnerability
-
-Use this section to tell people how to report a vulnerability.
-
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+## Reporting a Vulnerability
+
+Please do not open public issues for security reports.
+
+- Preferred: Open a private GitHub Security Advisory for this repository (Security → Advisories → Report a vulnerability).
+- Alternative: Email security@<your-domain> (PGP optional; see key below).
+
+We will:
+- Acknowledge receipt within 3 business days.
+- Provide an initial assessment or remediation ETA within 7 business days.
+- Credit reporters upon request after a fix is released.
+
+Please include: affected versions/commit, impact, reproduction steps or PoC, environment, and proposed severity (CVSS if available).
+
+## Coordinated Disclosure
+We ask for coordinated disclosure. We will agree on a public disclosure date once a fix or mitigation is available. Please avoid testing that could disrupt production or access data you do not own.
+
+## Safe Harbor
+We will not pursue legal action for good‑faith research that follows this policy and avoids privacy violations, data exfiltration, or service degradation. If you are unsure, contact us first.
+
+## Optional: PGP Key
+Fingerprint: <fill‑in>  
+Key: <URL or block>

If you prefer lighter wording, I can trim this to a shorter policy.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## Reporting a Vulnerability
Use this section to tell people how to report a vulnerability.
Tell them where to go, how often they can expect to get an update on a
reported vulnerability, what to expect if the vulnerability is accepted or
declined, etc.
## Reporting a Vulnerability
Please do not open public issues for security reports.
- Preferred: Open a private GitHub Security Advisory for this repository (Security → Advisories → Report a vulnerability).
- Alternative: Email security@<your-domain> (PGP optional; see key below).
We will:
- Acknowledge receipt within 3 business days.
- Provide an initial assessment or remediation ETA within 7 business days.
- Credit reporters upon request after a fix is released.
Please include: affected versions/commit, impact, reproduction steps or PoC, environment, and proposed severity (CVSS if available).
## Coordinated Disclosure
We ask for coordinated disclosure. We will agree on a public disclosure date once a fix or mitigation is available. Please avoid testing that could disrupt production or access data you do not own.
## Safe Harbor
We will not pursue legal action for good-faith research that follows this policy and avoids privacy violations, data exfiltration, or service degradation. If you are unsure, contact us first.
## Optional: PGP Key
Fingerprint: <fill-in>
Key: <URL or block>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sisodiabhumca