docs: consolidate security policy to canonical website URL#10559
docs: consolidate security policy to canonical website URL#10559MarkAtwood wants to merge 3 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR consolidates the repository’s coordinated vulnerability disclosure policy by removing the redundant in-repo policy document and pointing GitHub’s Security tab content to the canonical policy hosted on wolfssl.com.
Changes:
- Delete
SECURITY-POLICY.md(policy content no longer duplicated in-repo). - Update
.github/SECURITY.mdto include contact + PGP fingerprint and link to the canonical vulnerability disclosure policy URL. - Keep the vulnerability report template reference and CVE-submission direction via
SECURITY-REPORT-TEMPLATE.md.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
SECURITY-POLICY.md |
Removes the duplicated in-repo security policy document. |
.github/SECURITY.md |
Updates GitHub Security tab guidance to point to the canonical website policy and retains reporting details (contact, PGP fingerprint, template link). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Replace inline SECURITY-POLICY.md with a thin pointer in .github/SECURITY.md to the canonical policy at wolfssl.com/.well-known/vulnerability-disclosure-policy.txt. Keeps PGP key, contact info, and report template reference. Removes SECURITY-POLICY.md (now redundant).
Per Chris Conlon, secure@ is the existing alias for inbound security reports. support@ is the general support inbox. Aligns with the canonical /.well-known/security.txt and vulnerability-disclosure-policy.txt.
8cde47d to
fe70129
Compare
| @@ -1,74 +0,0 @@ | |||
| # wolfSSL Security Policy | |||
There was a problem hiding this comment.
I don't see the point of moving this to https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt . Is it so that our other repos share this too?
There was a problem hiding this comment.
Yes — the .well-known URL is so the other wolfSSL repos (wolfssh, wolftpm, etc.) can point at one canonical VDP instead of each carrying a copy that drifts. But you're right that deleting the in-repo policy was the wrong way to get there.
Reverted: SECURITY-POLICY.md stays as the authoritative in-repo policy, and the URL is now just a published mirror of it. SECURITY.md keeps support@ as preferred with secure@/PGP as an option, drops the phone number, and restores the mandatory-template + keep-private guidance (fixing the intro/template contradiction). Ready for another look.
|
|
||
| ## Report Template | ||
|
|
||
| For CVE consideration, submit a completed |
There was a problem hiding this comment.
This contradicts everything above it
| ## Reporting a Vulnerability | ||
|
|
||
| **Use of the wolfSSL Vulnerability Report Template is mandatory.** All security reports must use [`SECURITY-REPORT-TEMPLATE.md`](../SECURITY-REPORT-TEMPLATE.md), with every required field completed. Reports that do not use the template, or that leave required fields incomplete, will not receive CVE consideration. | ||
| Report security vulnerabilities to **secure@wolfssl.com** or call **+1-425-245-8247**. |
There was a problem hiding this comment.
Keep the support@. That is the preference. Provide the secure@ as a option with PGP key. Do not include the phone number. Thanks
|
|
||
| Reporter-proposed severity is input to the process, not its conclusion. | ||
|
|
||
| ## What Is Not Considered a Vulnerability |
There was a problem hiding this comment.
Why is this section being removed? It is important and is NOT in the new one you proposed.
Address review feedback (dgarske): - Restore SECURITY-POLICY.md instead of deleting it. The full policy (severity rubric, scope, coordinated disclosure, credit) stays in-repo; the canonical website URL is now presented as a mirror of it, not a replacement, so other repos can still reference one copy. - SECURITY.md: prefer support@wolfssl.com, offer secure@wolfssl.com with the PGP key as an option, and drop the phone number. - Restore the mandatory report-template requirement and the "keep the vulnerability private until a fix is released" guidance, resolving the contradiction between the intro and the template section.
Summary
coordinated vulnerability disclosure policy at
https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt
in
.github/SECURITY.md(what GitHub shows on the Security tab)SECURITY-POLICY.md(now redundant — canonical policy lives onthe website)
secure@wolfssl.com, consistent with the canonicalpolicy and Chris Conlon's note (2026-06-01) that
secure@is theexisting alias for inbound security reports
The website policy is the single source of truth, maintained for CRA
compliance. The report template (
SECURITY-REPORT-TEMPLATE.md) isunchanged.