Parent epic: #155
Deliver SECURITY.md at the repo root — the public vulnerability-disclosure anchor. Fully specced in E19 (#155); no design work outstanding.
Scope
- Intake channels: GitHub private vulnerability reporting (primary) then the web form at
https://cososo.co.uk/security/report (fallback) then no email address published. A security@cososo.co.uk forwarder exists as an unadvertised safety net.
- Response commitments (free tier): acknowledge within 72h; initial triage + CVSS v3.1 within 7 days; fix best-effort, severity-driven (no fixed SLA).
- Force-majeure clause: humane paragraph — timelines are best-effort and may slip during illness, bereavement, or other unavailability.
- Coordinated disclosure: 90 days + 14-day grace.
- Continuity commitment: if COSOSO ceases maintenance without a successor, the current release is relicensed under a permissive OSS licence (e.g. Apache 2.0) so users are not stranded.
- Scope boundary: Tier 1
Core/ gets full treatment (CVE, advisory, fix, signed release, SBOM entry); Tier 2 Platform/ and Tier 3 Bdd/ get advisory-only treatment, no CVE unless the root cause is in Core/.
- Link to the threat model (S19.04).
External preconditions (maintainer tasks, off-repo — build alongside so the URLs this doc publishes are live)
/security/report web form to a Gmail-routed inbox (fields per E19: reporter contact required, component radio, version, description, repro, suggested severity, actively-exploited checkbox, credit consent; anti-bot; no attachments v1).
- Gmail filtering rules so reports are mobile-visible.
security@cososo.co.uk forwarder.
Acceptance
SECURITY.md present, cross-links resolve, GitHub "Report a vulnerability" enabled (S19.07), form URL live. No hardcoded owner URLs beyond the cososo.co.uk form (relative repo links) so it survives the account migration.
Parent epic: #155
Deliver
SECURITY.mdat the repo root — the public vulnerability-disclosure anchor. Fully specced in E19 (#155); no design work outstanding.Scope
https://cososo.co.uk/security/report(fallback) then no email address published. Asecurity@cososo.co.ukforwarder exists as an unadvertised safety net.Core/gets full treatment (CVE, advisory, fix, signed release, SBOM entry); Tier 2Platform/and Tier 3Bdd/get advisory-only treatment, no CVE unless the root cause is inCore/.External preconditions (maintainer tasks, off-repo — build alongside so the URLs this doc publishes are live)
/security/reportweb form to a Gmail-routed inbox (fields per E19: reporter contact required, component radio, version, description, repro, suggested severity, actively-exploited checkbox, credit consent; anti-bot; no attachments v1).security@cososo.co.ukforwarder.Acceptance
SECURITY.mdpresent, cross-links resolve, GitHub "Report a vulnerability" enabled (S19.07), form URL live. No hardcoded owner URLs beyond the cososo.co.uk form (relative repo links) so it survives the account migration.