Skip to content

docs: S19.03 add SECURITY.md vulnerability disclosure policy#585

Open
DavidCozens wants to merge 2 commits into
mainfrom
docs/s19-03-security-policy
Open

docs: S19.03 add SECURITY.md vulnerability disclosure policy#585
DavidCozens wants to merge 2 commits into
mainfrom
docs/s19-03-security-policy

Conversation

@DavidCozens

@DavidCozens DavidCozens commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Adds SECURITY.md — the public vulnerability-disclosure anchor for E19 (CRA-ready reporting):

  • Intake via GitHub private vulnerability reporting (primary) and the cososo.co.uk/security/report web form (fallback). No email address published.
  • Free-tier commitments: 72h acknowledgement, 7-day triage + CVSS v3.1, best-effort severity-driven fixes.
  • 90 + 14-day coordinated disclosure; GHSA advisories, CVE for Core/ via GitHub's CNA.
  • Tier-based scope: Core/ full treatment, Platform/ + Bdd/Targets/ advisory-only.
  • Single-mainline support; force-majeure and continuity (relicense-if-abandoned) clauses.

Notes for review

  • Forward-links docs/security/threat-model.md (S19.04, separate PR) — merge that first or close behind to avoid a transient dead link on main.
  • The /security/report form is a maintainer off-repo precondition (flagged on S19.03: SECURITY.md — vulnerability disclosure policy #579); needs to be live before the repo goes public.
  • No hardcoded owner URLs beyond the cososo.co.uk contact form, so the file survives the pending Cozens-org migration untouched.

Closes #579

Summary by CodeRabbit

  • Documentation
    • Added a security policy outlining how to report vulnerabilities, what details to include, and expected response timelines.
    • Documented the coordinated disclosure process, publication approach, supported versions, and commercial support guidance.
    • Added a dated project log entry covering launch planning, security reporting readiness, and open rollout questions.

DavidCozens and others added 2 commits July 6, 2026 12:49
Public disclosure anchor for E19 (CRA-ready reporting). Intake via GitHub
private vulnerability reporting (primary) and the cososo.co.uk/security/report
web form (fallback); no email published. Documents free-tier response
commitments, 90+14 coordinated disclosure, tier-based scope, single-mainline
support, force-majeure and continuity clauses.

Forward-links docs/security/threat-model.md (S19.04, same batch).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds a new SECURITY.md file documenting vulnerability reporting channels, response commitments, coordinated disclosure timelines, scope/tier handling, and continuity licensing, plus a new dated DEVLOG.md entry recording launch-planning decisions and open questions.

Changes

Documentation Updates

Layer / File(s) Summary
Security disclosure policy
SECURITY.md
New file defining private reporting channels, submission requirements, maintainer response/triage timelines, coordinated disclosure window, scope/tier handling, supported versions, and continuity licensing.
Launch planning DEVLOG entry
DEVLOG.md
New dated entry documenting decisions, deferred items, external preconditions, and open questions about epic sequencing and go-public readiness.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related issues

Related issues

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The DEVLOG.md launch-planning entry is unrelated to #579's SECURITY.md policy and looks like extra scope. Move the DEVLOG update to a separate PR or justify it in the security-policy change description.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is conventional-commit styled and clearly summarizes the SECURITY.md policy addition.
Description check ✅ Passed It covers purpose, change details, scope notes, and closes the issue, with only the optional test evidence/areas sections omitted.
Linked Issues check ✅ Passed The change matches #579: root SECURITY.md, private reporting, no email, response timelines, disclosure window, scope tiers, and threat-model link.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/s19-03-security-policy

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 92-94: The contact link in the commercial licensing paragraph is
owner-specific and should be removed or replaced with the durable security
disclosure endpoint. Update the SECURITY.md section containing the
licensing/support contact text so it points to /security/report instead of the
homepage contact form, or omit the link entirely, keeping the language aligned
with the policy’s migration-safe contract.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 37f1036d-55e2-4ec0-ace6-c6ebf9eeefe4

📥 Commits

Reviewing files that changed from the base of the PR and between f4c8ff1 and 71b002a.

📒 Files selected for processing (2)
  • DEVLOG.md
  • SECURITY.md

Comment thread SECURITY.md
Comment on lines +92 to +94
For commercial licensing, guaranteed response times, or back-port support,
contact us via the form at
[cososo.co.uk](https://www.cososo.co.uk/#contact).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Remove the owner-specific contact link.

This section should stay on the durable disclosure endpoint only. The homepage contact link is owner-specific, so it weakens the migration-safe contract this policy is meant to provide. Prefer the /security/report form here too, or drop the link entirely.

♻️ Proposed fix
 For commercial licensing, guaranteed response times, or back-port support,
-contact us via the form at
-[cososo.co.uk](https://www.cososo.co.uk/#contact).
+contact us via the form at
+https://cososo.co.uk/security/report.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
For commercial licensing, guaranteed response times, or back-port support,
contact us via the form at
[cososo.co.uk](https://www.cososo.co.uk/#contact).
For commercial licensing, guaranteed response times, or back-port support,
contact us via the form at
https://cososo.co.uk/security/report.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 92 - 94, The contact link in the commercial
licensing paragraph is owner-specific and should be removed or replaced with the
durable security disclosure endpoint. Update the SECURITY.md section containing
the licensing/support contact text so it points to /security/report instead of
the homepage contact form, or omit the link entirely, keeping the language
aligned with the policy’s migration-safe contract.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

☀️   Quality Summary

   🚦   build-linux-gcc: 100% successful (✔️ 1521 passed)
   🚦   build-freertos-host-tdd-plustcp: 100% successful (✔️ 1872 passed)
   🚦   build-linux-clang: 100% successful (✔️ 1453 passed)
   🚦   sanitize-linux-gcc: 100% successful (✔️ 1453 passed)
   🚦   integration-linux-openssl: 100% successful (✔️ 16 passed)
   🚦   integration-linux-mbedtls: 100% successful (✔️ 14 passed)
   🚦   integration-windows-openssl: 100% successful (✔️ 16 passed)
   🚦   bdd-linux-syslog-ng: 94% successful (✔️ 49 passed, 🙈 3 skipped)
   🚦   bdd-windows-otel: 88% successful (✔️ 46 passed, 🙈 6 skipped)
   🚦   bdd-freertos-qemu-plustcp: 87% successful (✔️ 45 passed, 🙈 7 skipped)
   🚦   bdd-freertos-qemu-lwip: 87% successful (✔️ 45 passed, 🙈 7 skipped)
   🚦   build-windows-msvc: 100% successful (✔️ 1298 passed)
   🚦   build-linux-tunable-override: 100% successful (✔️ 1453 passed)
   ⚠️   Clang-Tidy: No warnings
   ⚠️   CPPCheck: No warnings


Created by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

S19.03: SECURITY.md — vulnerability disclosure policy

1 participant