Create SECURITY.md for vulnerability reporting#725
Create SECURITY.md for vulnerability reporting#725acornall wants to merge 1 commit intoveraPDF:integrationfrom
Conversation
Added a security policy for reporting vulnerabilities.
📝 WalkthroughWalkthroughA new SECURITY.md file is added, establishing a vulnerability reporting policy that directs security issues to GitHub's advisory workflow, specifies required details, and defines a 90-day remediation timeline before public disclosure. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
SECURITY.md (1)
16-16: Soften the fixed 90-day disclosure rule.A hard 90-day requirement reads rigid for critical or actively exploited issues. Safer wording is to make this a target and say disclosure timing will be coordinated based on severity and remediation progress.
Proposed wording
-Please allow us 90 days to work on a fix before public disclosure. +We aim to remediate reported vulnerabilities within 90 days and will coordinate +public disclosure timing with the reporter based on severity and fix availability.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@SECURITY.md` at line 16, Replace the rigid sentence "Please allow us 90 days to work on a fix before public disclosure." with softer, target-based disclosure language: state that 90 days is the target timeline but that disclosure timing will be coordinated based on severity and remediation progress, and add a line committing to communication and reasonable extensions for active exploitation or critical fixes (identify the exact sentence to change and update it in SECURITY.md).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@SECURITY.md`:
- Around line 3-8: Update SECURITY.md to add a fallback private reporting
channel alongside the existing GitHub advisory link: keep the existing paragraph
and link text but append a sentence offering an alternative contact method
(e.g., a dedicated security@ or PGP-encrypted email address and instructions for
encryption) for reporters who cannot use GitHub; ensure the new sentence
references the current “Report a vulnerability” flow and provides clear, brief
instructions for using the fallback channel and any required metadata
(vulnerability summary, reproduction steps, contact preference).
---
Nitpick comments:
In `@SECURITY.md`:
- Line 16: Replace the rigid sentence "Please allow us 90 days to work on a fix
before public disclosure." with softer, target-based disclosure language: state
that 90 days is the target timeline but that disclosure timing will be
coordinated based on severity and remediation progress, and add a line
committing to communication and reasonable extensions for active exploitation or
critical fixes (identify the exact sentence to change and update it in
SECURITY.md).
| If you have discovered a security vulnerability in this project, please report it | ||
| privately. **Do not disclose it as a public issue.** This gives us time to work with you | ||
| to fix the issue before public exposure, reducing the chance that the exploit will be | ||
| used before a patch is released. | ||
|
|
||
| Please submit reports via the [Report a vulnerability](https://github.com/veraPDF/veraPDF-validation/security/advisories/new) button. |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major
Add a fallback private reporting channel.
Right now the policy only offers GitHub's advisory workflow. If a reporter cannot use GitHub or that flow is unavailable, there is no private path left for disclosure.
Proposed wording
If you have discovered a security vulnerability in this project, please report it
privately. **Do not disclose it as a public issue.** This gives us time to work with you
to fix the issue before public exposure, reducing the chance that the exploit will be
used before a patch is released.
Please submit reports via the [Report a vulnerability](https://github.com/veraPDF/veraPDF-validation/security/advisories/new) button.
+If you cannot use that workflow, please contact the maintainers through an alternate
+private channel (for example, a dedicated security email address).📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| If you have discovered a security vulnerability in this project, please report it | |
| privately. **Do not disclose it as a public issue.** This gives us time to work with you | |
| to fix the issue before public exposure, reducing the chance that the exploit will be | |
| used before a patch is released. | |
| Please submit reports via the [Report a vulnerability](https://github.com/veraPDF/veraPDF-validation/security/advisories/new) button. | |
| If you have discovered a security vulnerability in this project, please report it | |
| privately. **Do not disclose it as a public issue.** This gives us time to work with you | |
| to fix the issue before public exposure, reducing the chance that the exploit will be | |
| used before a patch is released. | |
| Please submit reports via the [Report a vulnerability](https://github.com/veraPDF/veraPDF-validation/security/advisories/new) button. | |
| If you cannot use that workflow, please contact the maintainers through an alternate | |
| private channel (for example, a dedicated security email address). |
🧰 Tools
🪛 LanguageTool
[style] ~5-~5: Consider using a different verb for a more formal wording.
Context: ... This gives us time to work with you to fix the issue before public exposure, reduc...
(FIX_RESOLVE)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@SECURITY.md` around lines 3 - 8, Update SECURITY.md to add a fallback private
reporting channel alongside the existing GitHub advisory link: keep the existing
paragraph and link text but append a sentence offering an alternative contact
method (e.g., a dedicated security@ or PGP-encrypted email address and
instructions for encryption) for reporters who cannot use GitHub; ensure the new
sentence references the current “Report a vulnerability” flow and provides
clear, brief instructions for using the fallback channel and any required
metadata (vulnerability summary, reproduction steps, contact preference).
|
@acornall thanks a lot for the suggestion. I do confirm we take it very seriously, but need a bit of time to review it also in scope EU CRA act. |
|
No worries @bdoubrov let me know if I can be of assistance |
2 participants
Hey team I'd like to propose adding a security policy for reporting vulnerabilities in this project. The included policy is just an example based on other open source projects and can be adjusted to your liking. Some common approaches are:
Summary by CodeRabbit