Skip to content

S19.03: SECURITY.md — vulnerability disclosure policy #579

Description

@DavidCozens

Parent epic: #155

Deliver SECURITY.md at the repo root — the public vulnerability-disclosure anchor. Fully specced in E19 (#155); no design work outstanding.

Scope

  • Intake channels: GitHub private vulnerability reporting (primary) then the web form at https://cososo.co.uk/security/report (fallback) then no email address published. A security@cososo.co.uk forwarder exists as an unadvertised safety net.
  • Response commitments (free tier): acknowledge within 72h; initial triage + CVSS v3.1 within 7 days; fix best-effort, severity-driven (no fixed SLA).
  • Force-majeure clause: humane paragraph — timelines are best-effort and may slip during illness, bereavement, or other unavailability.
  • Coordinated disclosure: 90 days + 14-day grace.
  • Continuity commitment: if COSOSO ceases maintenance without a successor, the current release is relicensed under a permissive OSS licence (e.g. Apache 2.0) so users are not stranded.
  • Scope boundary: Tier 1 Core/ gets full treatment (CVE, advisory, fix, signed release, SBOM entry); Tier 2 Platform/ and Tier 3 Bdd/ get advisory-only treatment, no CVE unless the root cause is in Core/.
  • Link to the threat model (S19.04).

External preconditions (maintainer tasks, off-repo — build alongside so the URLs this doc publishes are live)

  • /security/report web form to a Gmail-routed inbox (fields per E19: reporter contact required, component radio, version, description, repro, suggested severity, actively-exploited checkbox, credit consent; anti-bot; no attachments v1).
  • Gmail filtering rules so reports are mobile-visible.
  • security@cososo.co.uk forwarder.

Acceptance

SECURITY.md present, cross-links resolve, GitHub "Report a vulnerability" enabled (S19.07), form URL live. No hardcoded owner URLs beyond the cososo.co.uk form (relative repo links) so it survives the account migration.

Metadata

Metadata

Assignees

No one assigned

    Labels

    storyStory issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions