docs: S19.03 add SECURITY.md vulnerability disclosure policy#585
docs: S19.03 add SECURITY.md vulnerability disclosure policy#585DavidCozens wants to merge 2 commits into
Conversation
Public disclosure anchor for E19 (CRA-ready reporting). Intake via GitHub private vulnerability reporting (primary) and the cososo.co.uk/security/report web form (fallback); no email published. Documents free-tier response commitments, 90+14 coordinated disclosure, tier-based scope, single-mainline support, force-majeure and continuity clauses. Forward-links docs/security/threat-model.md (S19.04, same batch). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughThis PR adds a new ChangesDocumentation Updates
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related issues
Related issues
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@SECURITY.md`:
- Around line 92-94: The contact link in the commercial licensing paragraph is
owner-specific and should be removed or replaced with the durable security
disclosure endpoint. Update the SECURITY.md section containing the
licensing/support contact text so it points to /security/report instead of the
homepage contact form, or omit the link entirely, keeping the language aligned
with the policy’s migration-safe contract.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| For commercial licensing, guaranteed response times, or back-port support, | ||
| contact us via the form at | ||
| [cososo.co.uk](https://www.cososo.co.uk/#contact). |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win
Remove the owner-specific contact link.
This section should stay on the durable disclosure endpoint only. The homepage contact link is owner-specific, so it weakens the migration-safe contract this policy is meant to provide. Prefer the /security/report form here too, or drop the link entirely.
♻️ Proposed fix
For commercial licensing, guaranteed response times, or back-port support,
-contact us via the form at
-[cososo.co.uk](https://www.cososo.co.uk/#contact).
+contact us via the form at
+https://cososo.co.uk/security/report.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| For commercial licensing, guaranteed response times, or back-port support, | |
| contact us via the form at | |
| [cososo.co.uk](https://www.cososo.co.uk/#contact). | |
| For commercial licensing, guaranteed response times, or back-port support, | |
| contact us via the form at | |
| https://cososo.co.uk/security/report. |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@SECURITY.md` around lines 92 - 94, The contact link in the commercial
licensing paragraph is owner-specific and should be removed or replaced with the
durable security disclosure endpoint. Update the SECURITY.md section containing
the licensing/support contact text so it points to /security/report instead of
the homepage contact form, or omit the link entirely, keeping the language
aligned with the policy’s migration-safe contract.
☀️ Quality Summary 🚦 build-linux-gcc: 100% successful (✔️ 1521 passed) Created by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result. |
Adds
SECURITY.md— the public vulnerability-disclosure anchor for E19 (CRA-ready reporting):cososo.co.uk/security/reportweb form (fallback). No email address published.Core/via GitHub's CNA.Core/full treatment,Platform/+Bdd/Targets/advisory-only.Notes for review
docs/security/threat-model.md(S19.04, separate PR) — merge that first or close behind to avoid a transient dead link onmain./security/reportform is a maintainer off-repo precondition (flagged on S19.03: SECURITY.md — vulnerability disclosure policy #579); needs to be live before the repo goes public.Closes #579
Summary by CodeRabbit