diff --git a/DEVLOG.md b/DEVLOG.md index 28aad392..df7b6c85 100644 --- a/DEVLOG.md +++ b/DEVLOG.md @@ -15012,3 +15012,43 @@ safe API. - The `custom_sd.feature` oracle round-trip is **authored but not yet run** — `behave` needs the docker/syslog-ng oracle, which runs from WSL, not the devcontainer. Next step: pull the branch in WSL, run the `@udp` `custom_sd` scenario, confirm `detail "Hello World"` round-trips. + +## 2026-07-06 — Launch planning, epic audit, E19 security-docs elaboration, S19.03 SECURITY.md + +Returning after client work. Swept repo/issue state and planned the path to a +polished, presentable library plus the business-account migration. + +### Decisions +- Sequence: pre-migration polish (E19 security docs + E31 `Service()` 4-state to + lock the API shape) → transfer to Cozens org via GitHub Transfer (keep full + history, stay PRIVATE) → owner-reference sweep (62 `DavidCozens` refs) → E23 + docs site (Sphinx) against the stable API → go-public gate → 0.1.0. +- Contribution model: **closed to external code** (PolyForm Noncommercial + + dual-licensing needs clean copyright). Issues welcome, PRs by invitation. +- Community-health files folded into E23 as S23.08 (not a new epic). Account + migration / go-public need no epic yet. +- Epic audit: sub-issue roll-up % is unreliable under lazy elaboration. Audited + all 25 closed epic bodies + 7 open — all closed genuinely done bar intentional + declines (E16, E26 session resumption, E09). E19 was the false-100%: SBOM half + built, security-docs half never decomposed. +- E09 (C++ wrapper) closed as not-planned with rationale — C library is the + product; wrapper additive, no demand. +- E19 elaborated into S19.03–07 (per-story PRs). Intake: GitHub private reporting + → `cososo.co.uk/security/report` form → no email published. +- S19.03 SECURITY.md approved: tier-based scope, 72h/7d free-tier SLAs, 90+14 + disclosure, force-majeure + continuity (relicense-to-Apache-if-abandoned). + +### Deferred +- E18 flash (S18.04), E22 RFC 5848 signing, E25 fuzz — not launch blockers; + E25-C (OSS-Fuzz) blocked on public repo. +- release-please parked (PR #575, dangling 0.1.0 PR #101) — unpark story at the + docs/release phase; flagged on S19.06. + +### External (maintainer, off-repo) +- E19 preconditions: `/security/report` form → Gmail-routed inbox, Gmail filter + rules, `security@cososo.co.uk` forwarder. Flagged on S19.03; needed before + go-public since SECURITY.md links the form. + +### Open questions +- Merge order S19.03 vs S19.04 — SECURITY.md forward-links threat-model.md. +- Go-public: history curation + DEVLOG.md (792 KB) handling — decided at the gate. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..7cf6327c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,94 @@ +# Security Policy + +Cozens Software Solutions Limited (COSOSO) takes the security of SolidSyslog +seriously. This policy explains how to report a vulnerability and what to +expect in return. + +## Reporting a vulnerability + +**Please do not report security issues in public GitHub issues, pull +requests, or discussions.** Use one of the private channels below: + +1. **GitHub private vulnerability reporting (preferred).** On this + repository, go to the **Security** tab → **Report a vulnerability**. + This opens a private advisory visible only to you and the maintainer. +2. **Web form.** If you cannot use GitHub, submit the form at + **https://cososo.co.uk/security/report**. It routes to a private inbox. + +We do not publish a security email address. Both channels above reach the +maintainer privately. + +### What to include + +The more of this you can provide, the faster we can triage: + +- Affected component — **Core**, **Platform**, or **Bdd** (see *Scope* below) +- Affected version, tag, or commit SHA +- A description of the issue and its impact +- Reproduction steps or a proof of concept +- Your assessment of severity, and whether it is being actively exploited +- Whether you wish to be credited, and how + +## Our commitments + +For the free (noncommercial) tier: + +- **Acknowledgement** within **72 hours** of receipt. +- **Initial triage** and a **CVSS v3.1** assessment within **7 days**. +- **Fixes** are best-effort and severity-driven. The free tier carries no + fixed fix-time SLA. Extended support and guaranteed timelines are + available under a commercial agreement. + +These timelines are best-effort commitments from a solo maintainer. They may +be exceeded during periods of illness, bereavement, or other circumstances +beyond the maintainer's control. In such cases the report will be +acknowledged and acted on as soon as is practicable. + +## Coordinated disclosure + +We follow coordinated disclosure with a **90-day** window from the date of +report, plus a **14-day grace period** if a fix is imminent at day 90. We +will credit reporters who wish to be named, by consent captured at intake. + +Advisories are published as **GitHub Security Advisories**. For +vulnerabilities in **Core** (see *Scope*), a **CVE** is requested via +GitHub's CNA. + +## Scope + +SolidSyslog is a source-available component assembled into a product by the +integrator. Security treatment follows the repository's support tiers: + +| Tier | Path | Treatment | +|---|---|---| +| 1 | `Core/` | Full treatment: CVE, advisory, fix, signed release, SBOM entry. | +| 2 | `Platform/` | Advisory treatment: public notice and an updated adapter. No CVE unless the root cause is in `Core/`. | +| 3 | `Bdd/Targets/` | Advisory treatment. Illustrative targets, not a supported product. | + +Test code, build infrastructure, CI configuration, and documentation are not +in scope for this policy. Vulnerabilities in third-party libraries you choose +to link (OpenSSL, Mbed TLS, an RTOS TCP stack, …) are the responsibility of +those projects and your own supply-chain process; SolidSyslog bundles none of +them. + +See the [threat model](docs/security/threat-model.md) for trust boundaries, +caller obligations, and what the library does and does not defend against. + +## Supported versions + +SolidSyslog is maintained as a **single mainline**. Security fixes land on the +**latest published release** only. There is no back-port commitment on the +free tier; back-ports are available under a commercial agreement. + +## Continuity + +If COSOSO ceases to maintain SolidSyslog without transferring it to a +successor maintainer, the then-current release will be relicensed under a +permissive open-source licence (for example Apache-2.0) so that existing +users are not stranded. + +## Commercial support + +For commercial licensing, guaranteed response times, or back-port support, +contact us via the form at +[cososo.co.uk](https://www.cososo.co.uk/#contact).