From d9f69506b39004054a53a5de5688a6646de51206 Mon Sep 17 00:00:00 2001 From: Noah Hollmann Date: Fri, 15 May 2026 23:20:43 +0200 Subject: [PATCH 1/3] chore: add SECURITY.md pointing to security@priorlabs.ai GitHub auto-renders this as the "Report a vulnerability" link on the repo's Security tab, giving researchers an obvious place to send disclosure reports. Co-Authored-By: Claude Opus 4.7 (1M context) --- SECURITY.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..e4c2cfb --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,6 @@ +# Security + +Please email **security@priorlabs.ai** to report a vulnerability. + +We support coordinated disclosure and will acknowledge promptly. +Don't file public GitHub issues for suspected vulnerabilities. From 103cd97824577271a16b48b1df59f13f6b19da63 Mon Sep 17 00:00:00 2001 From: Noah Hollmann Date: Fri, 15 May 2026 23:35:28 +0200 Subject: [PATCH 2/3] docs(security): add Supported Versions section per review Per PR review: include an explicit Supported Versions policy. Stating 'most recent minor only' is honest about our actual maintenance posture and avoids the misleading generic template (3.x/2.x) that the upstream bot suggested verbatim. Co-Authored-By: Claude Opus 4.7 (1M context) --- SECURITY.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index e4c2cfb..6a616d1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,5 +1,12 @@ # Security +## Supported Versions + +We support only the most recent minor release. Older releases do not +receive security patches — please upgrade. + +## Reporting a Vulnerability + Please email **security@priorlabs.ai** to report a vulnerability. We support coordinated disclosure and will acknowledge promptly. From 22b9a1360006e8e08736d75c8ce07b60dca74c6f Mon Sep 17 00:00:00 2001 From: Noah Hollmann Date: Fri, 15 May 2026 23:49:22 +0200 Subject: [PATCH 3/3] docs(security): soften disclosure language per review Change 'Don't file public GitHub issues' to the more formal 'Please do not report security vulnerabilities via public GitHub issues.' Matches the tone of the rest of the policy. --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 6a616d1..da1968b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,4 +10,4 @@ receive security patches — please upgrade. Please email **security@priorlabs.ai** to report a vulnerability. We support coordinated disclosure and will acknowledge promptly. -Don't file public GitHub issues for suspected vulnerabilities. +Please do not report security vulnerabilities via public GitHub issues.