From 504db8f45474c771ef1991a78c7bdd8c36f8c958 Mon Sep 17 00:00:00 2001 From: kallal79 Date: Fri, 3 Apr 2026 14:42:18 +0530 Subject: [PATCH 1/4] Add SECURITY.md vulnerability reporting policy Implement issue #309 by adding a dedicated security policy for bundler-audit. Changes: - Add SECURITY.md with private vulnerability reporting instructions. - Document email reporting channel and disclosure expectations. - Add spec/security_policy_spec.rb to verify policy file presence and core guidance. This commit intentionally contains only security-policy related files. --- SECURITY.md | 32 ++++++++++++++++++++++++++++++++ spec/security_policy_spec.rb | 22 ++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 SECURITY.md create mode 100644 spec/security_policy_spec.rb diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..a0eccb90 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# Security Policy + +If you discover a security vulnerability in bundler-audit, please report it +privately. + +## Reporting A Vulnerability + +- Email: postmodern.mod3@gmail.com +- Subject: "[bundler-audit] Security vulnerability report" + +Please include: + +- A clear description of the issue and impact. +- Steps to reproduce or a proof of concept. +- Affected versions and environment details. +- Any suggested remediation, if known. + +Do not open a public GitHub issue for suspected vulnerabilities. + +## Encryption + +If you want to send encrypted details, mention this in your initial email and we +will coordinate a secure channel. + +## Disclosure Process + +After confirmation, maintainers will: + +1. Acknowledge receipt. +2. Investigate and validate the report. +3. Prepare and release a fix. +4. Coordinate responsible disclosure details. diff --git a/spec/security_policy_spec.rb b/spec/security_policy_spec.rb new file mode 100644 index 00000000..056eaa8e --- /dev/null +++ b/spec/security_policy_spec.rb @@ -0,0 +1,22 @@ +require 'spec_helper' + +describe 'SECURITY.md' do + let(:path) do + File.expand_path(File.join(File.dirname(__FILE__), '..', 'SECURITY.md')) + end + + let(:content) { File.read(path) } + + it 'exists' do + expect(File.file?(path)).to be(true) + end + + it 'contains private reporting guidance' do + expect(content).to include('Reporting A Vulnerability') + expect(content).to include('Do not open a public GitHub issue') + end + + it 'contains a security contact channel' do + expect(content).to include('postmodern.mod3@gmail.com') + end +end From fdd10a229068c3a2ff908f87ab47deca52c25010 Mon Sep 17 00:00:00 2001 From: kallal79 Date: Wed, 3 Jun 2026 11:25:41 +0530 Subject: [PATCH 2/4] Update security email to security@rubysec.com --- SECURITY.md | 2 +- spec/security_policy_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a0eccb90..6943b36a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,7 +5,7 @@ privately. ## Reporting A Vulnerability -- Email: postmodern.mod3@gmail.com +- Email: security@rubysec.com - Subject: "[bundler-audit] Security vulnerability report" Please include: diff --git a/spec/security_policy_spec.rb b/spec/security_policy_spec.rb index 056eaa8e..7d554515 100644 --- a/spec/security_policy_spec.rb +++ b/spec/security_policy_spec.rb @@ -17,6 +17,6 @@ end it 'contains a security contact channel' do - expect(content).to include('postmodern.mod3@gmail.com') + expect(content).to include('security@rubysec.com') end end From e68eecadad38572216cdf7649b0e7a11c61c58f4 Mon Sep 17 00:00:00 2001 From: kallal79 Date: Wed, 3 Jun 2026 11:30:11 +0530 Subject: [PATCH 3/4] Fix CRLF line endings for rubocop --- SECURITY.md | 64 ++++++++++++++++++------------------ spec/security_policy_spec.rb | 44 ++++++++++++------------- 2 files changed, 54 insertions(+), 54 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 6943b36a..cea35c47 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,32 +1,32 @@ -# Security Policy - -If you discover a security vulnerability in bundler-audit, please report it -privately. - -## Reporting A Vulnerability - -- Email: security@rubysec.com -- Subject: "[bundler-audit] Security vulnerability report" - -Please include: - -- A clear description of the issue and impact. -- Steps to reproduce or a proof of concept. -- Affected versions and environment details. -- Any suggested remediation, if known. - -Do not open a public GitHub issue for suspected vulnerabilities. - -## Encryption - -If you want to send encrypted details, mention this in your initial email and we -will coordinate a secure channel. - -## Disclosure Process - -After confirmation, maintainers will: - -1. Acknowledge receipt. -2. Investigate and validate the report. -3. Prepare and release a fix. -4. Coordinate responsible disclosure details. +# Security Policy + +If you discover a security vulnerability in bundler-audit, please report it +privately. + +## Reporting A Vulnerability + +- Email: security@rubysec.com +- Subject: "[bundler-audit] Security vulnerability report" + +Please include: + +- A clear description of the issue and impact. +- Steps to reproduce or a proof of concept. +- Affected versions and environment details. +- Any suggested remediation, if known. + +Do not open a public GitHub issue for suspected vulnerabilities. + +## Encryption + +If you want to send encrypted details, mention this in your initial email and we +will coordinate a secure channel. + +## Disclosure Process + +After confirmation, maintainers will: + +1. Acknowledge receipt. +2. Investigate and validate the report. +3. Prepare and release a fix. +4. Coordinate responsible disclosure details. diff --git a/spec/security_policy_spec.rb b/spec/security_policy_spec.rb index 7d554515..165236cd 100644 --- a/spec/security_policy_spec.rb +++ b/spec/security_policy_spec.rb @@ -1,22 +1,22 @@ -require 'spec_helper' - -describe 'SECURITY.md' do - let(:path) do - File.expand_path(File.join(File.dirname(__FILE__), '..', 'SECURITY.md')) - end - - let(:content) { File.read(path) } - - it 'exists' do - expect(File.file?(path)).to be(true) - end - - it 'contains private reporting guidance' do - expect(content).to include('Reporting A Vulnerability') - expect(content).to include('Do not open a public GitHub issue') - end - - it 'contains a security contact channel' do - expect(content).to include('security@rubysec.com') - end -end +require 'spec_helper' + +describe 'SECURITY.md' do + let(:path) do + File.expand_path(File.join(File.dirname(__FILE__), '..', 'SECURITY.md')) + end + + let(:content) { File.read(path) } + + it 'exists' do + expect(File.file?(path)).to be(true) + end + + it 'contains private reporting guidance' do + expect(content).to include('Reporting A Vulnerability') + expect(content).to include('Do not open a public GitHub issue') + end + + it 'contains a security contact channel' do + expect(content).to include('security@rubysec.com') + end +end From 62f0a85e1121858feb5829c476a5f3c0541edc44 Mon Sep 17 00:00:00 2001 From: kallal79 Date: Wed, 10 Jun 2026 21:03:41 +0530 Subject: [PATCH 4/4] Revert email to original maintainer's email pending #428 decision --- SECURITY.md | 2 +- spec/security_policy_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index cea35c47..49789878 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,7 +5,7 @@ privately. ## Reporting A Vulnerability -- Email: security@rubysec.com +- Email: postmodern.mod3@gmail.com - Subject: "[bundler-audit] Security vulnerability report" Please include: diff --git a/spec/security_policy_spec.rb b/spec/security_policy_spec.rb index 165236cd..f47c4f2f 100644 --- a/spec/security_policy_spec.rb +++ b/spec/security_policy_spec.rb @@ -17,6 +17,6 @@ end it 'contains a security contact channel' do - expect(content).to include('security@rubysec.com') + expect(content).to include('postmodern.mod3@gmail.com') end end