Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions DEVLOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15012,3 +15012,43 @@ safe API.
- The `custom_sd.feature` oracle round-trip is **authored but not yet run** — `behave` needs
the docker/syslog-ng oracle, which runs from WSL, not the devcontainer. Next step: pull the
branch in WSL, run the `@udp` `custom_sd` scenario, confirm `detail "Hello World"` round-trips.

## 2026-07-06 — Launch planning, epic audit, E19 security-docs elaboration, S19.03 SECURITY.md

Returning after client work. Swept repo/issue state and planned the path to a
polished, presentable library plus the business-account migration.

### Decisions
- Sequence: pre-migration polish (E19 security docs + E31 `Service()` 4-state to
lock the API shape) → transfer to Cozens org via GitHub Transfer (keep full
history, stay PRIVATE) → owner-reference sweep (62 `DavidCozens` refs) → E23
docs site (Sphinx) against the stable API → go-public gate → 0.1.0.
- Contribution model: **closed to external code** (PolyForm Noncommercial +
dual-licensing needs clean copyright). Issues welcome, PRs by invitation.
- Community-health files folded into E23 as S23.08 (not a new epic). Account
migration / go-public need no epic yet.
- Epic audit: sub-issue roll-up % is unreliable under lazy elaboration. Audited
all 25 closed epic bodies + 7 open — all closed genuinely done bar intentional
declines (E16, E26 session resumption, E09). E19 was the false-100%: SBOM half
built, security-docs half never decomposed.
- E09 (C++ wrapper) closed as not-planned with rationale — C library is the
product; wrapper additive, no demand.
- E19 elaborated into S19.03–07 (per-story PRs). Intake: GitHub private reporting
→ `cososo.co.uk/security/report` form → no email published.
- S19.03 SECURITY.md approved: tier-based scope, 72h/7d free-tier SLAs, 90+14
disclosure, force-majeure + continuity (relicense-to-Apache-if-abandoned).

### Deferred
- E18 flash (S18.04), E22 RFC 5848 signing, E25 fuzz — not launch blockers;
E25-C (OSS-Fuzz) blocked on public repo.
- release-please parked (PR #575, dangling 0.1.0 PR #101) — unpark story at the
docs/release phase; flagged on S19.06.

### External (maintainer, off-repo)
- E19 preconditions: `/security/report` form → Gmail-routed inbox, Gmail filter
rules, `security@cososo.co.uk` forwarder. Flagged on S19.03; needed before
go-public since SECURITY.md links the form.

### Open questions
- Merge order S19.03 vs S19.04 — SECURITY.md forward-links threat-model.md.
- Go-public: history curation + DEVLOG.md (792 KB) handling — decided at the gate.
94 changes: 94 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
# Security Policy

Cozens Software Solutions Limited (COSOSO) takes the security of SolidSyslog
seriously. This policy explains how to report a vulnerability and what to
expect in return.

## Reporting a vulnerability

**Please do not report security issues in public GitHub issues, pull
requests, or discussions.** Use one of the private channels below:

1. **GitHub private vulnerability reporting (preferred).** On this
repository, go to the **Security** tab → **Report a vulnerability**.
This opens a private advisory visible only to you and the maintainer.
2. **Web form.** If you cannot use GitHub, submit the form at
**https://cososo.co.uk/security/report**. It routes to a private inbox.

We do not publish a security email address. Both channels above reach the
maintainer privately.

### What to include

The more of this you can provide, the faster we can triage:

- Affected component — **Core**, **Platform**, or **Bdd** (see *Scope* below)
- Affected version, tag, or commit SHA
- A description of the issue and its impact
- Reproduction steps or a proof of concept
- Your assessment of severity, and whether it is being actively exploited
- Whether you wish to be credited, and how

## Our commitments

For the free (noncommercial) tier:

- **Acknowledgement** within **72 hours** of receipt.
- **Initial triage** and a **CVSS v3.1** assessment within **7 days**.
- **Fixes** are best-effort and severity-driven. The free tier carries no
fixed fix-time SLA. Extended support and guaranteed timelines are
available under a commercial agreement.

These timelines are best-effort commitments from a solo maintainer. They may
be exceeded during periods of illness, bereavement, or other circumstances
beyond the maintainer's control. In such cases the report will be
acknowledged and acted on as soon as is practicable.

## Coordinated disclosure

We follow coordinated disclosure with a **90-day** window from the date of
report, plus a **14-day grace period** if a fix is imminent at day 90. We
will credit reporters who wish to be named, by consent captured at intake.

Advisories are published as **GitHub Security Advisories**. For
vulnerabilities in **Core** (see *Scope*), a **CVE** is requested via
GitHub's CNA.

## Scope

SolidSyslog is a source-available component assembled into a product by the
integrator. Security treatment follows the repository's support tiers:

| Tier | Path | Treatment |
|---|---|---|
| 1 | `Core/` | Full treatment: CVE, advisory, fix, signed release, SBOM entry. |
| 2 | `Platform/` | Advisory treatment: public notice and an updated adapter. No CVE unless the root cause is in `Core/`. |
| 3 | `Bdd/Targets/` | Advisory treatment. Illustrative targets, not a supported product. |

Test code, build infrastructure, CI configuration, and documentation are not
in scope for this policy. Vulnerabilities in third-party libraries you choose
to link (OpenSSL, Mbed TLS, an RTOS TCP stack, …) are the responsibility of
those projects and your own supply-chain process; SolidSyslog bundles none of
them.

See the [threat model](docs/security/threat-model.md) for trust boundaries,
caller obligations, and what the library does and does not defend against.

## Supported versions

SolidSyslog is maintained as a **single mainline**. Security fixes land on the
**latest published release** only. There is no back-port commitment on the
free tier; back-ports are available under a commercial agreement.

## Continuity

If COSOSO ceases to maintain SolidSyslog without transferring it to a
successor maintainer, the then-current release will be relicensed under a
permissive open-source licence (for example Apache-2.0) so that existing
users are not stranded.

## Commercial support

For commercial licensing, guaranteed response times, or back-port support,
contact us via the form at
[cososo.co.uk](https://www.cososo.co.uk/#contact).
Comment on lines +92 to +94

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Remove the owner-specific contact link.

This section should stay on the durable disclosure endpoint only. The homepage contact link is owner-specific, so it weakens the migration-safe contract this policy is meant to provide. Prefer the /security/report form here too, or drop the link entirely.

♻️ Proposed fix
 For commercial licensing, guaranteed response times, or back-port support,
-contact us via the form at
-[cososo.co.uk](https://www.cososo.co.uk/#contact).
+contact us via the form at
+https://cososo.co.uk/security/report.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
For commercial licensing, guaranteed response times, or back-port support,
contact us via the form at
[cososo.co.uk](https://www.cososo.co.uk/#contact).
For commercial licensing, guaranteed response times, or back-port support,
contact us via the form at
https://cososo.co.uk/security/report.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 92 - 94, The contact link in the commercial
licensing paragraph is owner-specific and should be removed or replaced with the
durable security disclosure endpoint. Update the SECURITY.md section containing
the licensing/support contact text so it points to /security/report instead of
the homepage contact form, or omit the link entirely, keeping the language
aligned with the policy’s migration-safe contract.

Loading