Skip to content

docs: consolidate security policy to canonical website URL#10559

Open
MarkAtwood wants to merge 3 commits into
wolfSSL:masterfrom
MarkAtwood:security-policy-canonical-pointer
Open

docs: consolidate security policy to canonical website URL#10559
MarkAtwood wants to merge 3 commits into
wolfSSL:masterfrom
MarkAtwood:security-policy-canonical-pointer

Conversation

@MarkAtwood

@MarkAtwood MarkAtwood commented May 29, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replace the inline security policy with a thin pointer to the canonical
    coordinated vulnerability disclosure policy at
    https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt
  • Keep PGP key fingerprint, contact info, and report template reference
    in .github/SECURITY.md (what GitHub shows on the Security tab)
  • Delete SECURITY-POLICY.md (now redundant — canonical policy lives on
    the website)
  • Contact email is secure@wolfssl.com, consistent with the canonical
    policy and Chris Conlon's note (2026-06-01) that secure@ is the
    existing alias for inbound security reports

The website policy is the single source of truth, maintained for CRA
compliance. The report template (SECURITY-REPORT-TEMPLATE.md) is
unchanged.

Copilot AI review requested due to automatic review settings May 29, 2026 17:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates the repository’s coordinated vulnerability disclosure policy by removing the redundant in-repo policy document and pointing GitHub’s Security tab content to the canonical policy hosted on wolfssl.com.

Changes:

  • Delete SECURITY-POLICY.md (policy content no longer duplicated in-repo).
  • Update .github/SECURITY.md to include contact + PGP fingerprint and link to the canonical vulnerability disclosure policy URL.
  • Keep the vulnerability report template reference and CVE-submission direction via SECURITY-REPORT-TEMPLATE.md.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
SECURITY-POLICY.md Removes the duplicated in-repo security policy document.
.github/SECURITY.md Updates GitHub Security tab guidance to point to the canonical website policy and retains reporting details (contact, PGP fingerprint, template link).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/SECURITY.md Outdated
@MarkAtwood MarkAtwood requested a review from cconlon May 29, 2026 17:57
@github-actions

github-actions Bot commented May 29, 2026

Copy link
Copy Markdown

MemBrowse Memory Report

gcc-arm-cortex-m0plus

  • FLASH: .text +680 B (+1.1%, 64,155 B / 262,144 B, total: 24% used)

gcc-arm-cortex-m3

  • FLASH: .text +1,224 B (+1.0%, 122,481 B / 262,144 B, total: 47% used)

gcc-arm-cortex-m4

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .rodata.wolfSSL_ERR_reason_error_string.str1.1 +88 B, .text +1,472 B (+0.8%, 200,320 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m4-baremetal

  • FLASH: .text +768 B (+1.2%, 66,827 B / 262,144 B, total: 25% used)

gcc-arm-cortex-m4-crypto-only

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .text +960 B (+0.6%, 174,568 B / 262,144 B, total: 67% used)

gcc-arm-cortex-m4-dtls13

  • FLASH: .text +1,344 B (+0.7%, 180,888 B / 1,048,576 B, total: 17% used)

gcc-arm-cortex-m4-min-ecc

  • FLASH: .text +704 B (+1.2%, 61,741 B / 262,144 B, total: 24% used)

gcc-arm-cortex-m4-openssl-compat

  • FLASH: .rodata +480 B, .text +4,416 B (+0.6%, 771,148 B / 1,048,576 B, total: 74% used)

gcc-arm-cortex-m4-pkcs7

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .text +1,536 B (+0.8%, 212,588 B / 262,144 B, total: 81% used)

gcc-arm-cortex-m4-pq

  • FLASH: .rodata +140 B, .text +2,112 B (+0.8%, 279,396 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m4-rsa-only

  • FLASH: .rodata +136 B, .text +2,240 B (+0.7%, 324,992 B / 1,048,576 B, total: 31% used)

gcc-arm-cortex-m4-sp-math

  • FLASH: .text +704 B (+1.2%, 61,741 B / 262,144 B, total: 24% used)

gcc-arm-cortex-m4-tls12

  • FLASH: .text +1,216 B (+1.0%, 123,213 B / 262,144 B, total: 47% used)

gcc-arm-cortex-m4-tls13

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .rodata.wolfSSL_ERR_reason_error_string.str1.1 +88 B, .text +1,472 B (+0.7%, 236,082 B / 262,144 B, total: 90% used)

gcc-arm-cortex-m7

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .rodata.wolfSSL_ERR_reason_error_string.str1.1 +88 B, .text +1,472 B (+0.8%, 200,320 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m7-pq

  • FLASH: .rodata +140 B, .text +2,048 B (+0.8%, 279,972 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m7-tls13

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +54 B, .rodata.wolfSSL_ERR_reason_error_string.str1.1 +88 B, .text +1,536 B (+0.7%, 236,146 B / 262,144 B, total: 90% used)

linuxkm-pie

  • Data: __patchable_function_entries +1,344 B (+5.6%, 25,552 B)

linuxkm-standard

  • Data: __patchable_function_entries +2,296 B (+5.0%, 48,216 B)

stm32-sim-stm32h753

  • FLASH: .text +1,968 B (+1.1%, 183,460 B / 2,097,152 B, total: 9% used)

Replace inline SECURITY-POLICY.md with a thin pointer in
.github/SECURITY.md to the canonical policy at
wolfssl.com/.well-known/vulnerability-disclosure-policy.txt.

Keeps PGP key, contact info, and report template reference.
Removes SECURITY-POLICY.md (now redundant).
Per Chris Conlon, secure@ is the existing alias for inbound security
reports. support@ is the general support inbox.

Aligns with the canonical /.well-known/security.txt and
vulnerability-disclosure-policy.txt.
@MarkAtwood MarkAtwood force-pushed the security-policy-canonical-pointer branch from 8cde47d to fe70129 Compare June 9, 2026 15:23
Comment thread SECURITY-POLICY.md
@@ -1,74 +0,0 @@
# wolfSSL Security Policy

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see the point of moving this to https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt . Is it so that our other repos share this too?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes — the .well-known URL is so the other wolfSSL repos (wolfssh, wolftpm, etc.) can point at one canonical VDP instead of each carrying a copy that drifts. But you're right that deleting the in-repo policy was the wrong way to get there.

Reverted: SECURITY-POLICY.md stays as the authoritative in-repo policy, and the URL is now just a published mirror of it. SECURITY.md keeps support@ as preferred with secure@/PGP as an option, drops the phone number, and restores the mandatory-template + keep-private guidance (fixing the intro/template contradiction). Ready for another look.

Comment thread .github/SECURITY.md Outdated

## Report Template

For CVE consideration, submit a completed

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This contradicts everything above it

Comment thread .github/SECURITY.md Outdated
## Reporting a Vulnerability

**Use of the wolfSSL Vulnerability Report Template is mandatory.** All security reports must use [`SECURITY-REPORT-TEMPLATE.md`](../SECURITY-REPORT-TEMPLATE.md), with every required field completed. Reports that do not use the template, or that leave required fields incomplete, will not receive CVE consideration.
Report security vulnerabilities to **secure@wolfssl.com** or call **+1-425-245-8247**.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keep the support@. That is the preference. Provide the secure@ as a option with PGP key. Do not include the phone number. Thanks

Comment thread SECURITY-POLICY.md

Reporter-proposed severity is input to the process, not its conclusion.

## What Is Not Considered a Vulnerability

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this section being removed? It is important and is NOT in the new one you proposed.

@dgarske dgarske removed the request for review from cconlon June 10, 2026 17:36
Address review feedback (dgarske):

- Restore SECURITY-POLICY.md instead of deleting it. The full policy
  (severity rubric, scope, coordinated disclosure, credit) stays in-repo;
  the canonical website URL is now presented as a mirror of it, not a
  replacement, so other repos can still reference one copy.
- SECURITY.md: prefer support@wolfssl.com, offer secure@wolfssl.com with
  the PGP key as an option, and drop the phone number.
- Restore the mandatory report-template requirement and the "keep the
  vulnerability private until a fix is released" guidance, resolving the
  contradiction between the intro and the template section.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants