docs: add SECURITY.md vulnerability disclosure policy#87
Merged
Conversation
Closes the doc-level gap for CISA Secure by Design Pledge goal 5 (vulnerability disclosure policy). Publishes a SECURITY.md at the repo root — the path GitHub surfaces in the Security tab — covering: - Reporting channels: security@hanalyx.com (GPG-encryptable via KEYS) + GitHub private vulnerability reporting. - A 3-business-day acknowledgment commitment. - Coordinated disclosure (90-day window), safe harbor for good-faith research, and in/out-of-scope definitions (notably: the hosts an operator manages are out of scope; the passwordless-sudo and air-gap design decisions are intentional). - A CVE-with-CWE issuance commitment for confirmed Kensa vulnerabilities (advances pledge goal 6). Written to docs/DEVELOPER_DOCUMENTATION_STYLE_GUIDE.md (sentence-case headings, active voice, second person for the reporter, "we" only for genuine team commitments, ISO 8601 dates, no "simply/just/please", evidence over assurances — links to KEYS and the install-guide verification steps). Operational prerequisites NOT done by this commit (founder/ops action): stand up and monitor security@hanalyx.com, and enable GitHub private vulnerability reporting in repo Settings -> Security. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a
SECURITY.mdvulnerability disclosure policy at the repo root — the path GitHub surfaces in the Security tab. Closes the doc-level gap for CISA Secure by Design Pledge goal 5 (and advances goal 6).Decisions (confirmed by founder)
security@hanalyx.com(GPG-encryptable viaKEYS) and GitHub private vulnerability reporting.Also covers
Coordinated disclosure (90-day window), safe harbor for good-faith research, and explicit scope. Notable scope calls: the hosts an operator manages are out of scope (operator's systems, not a Kensa vuln), and the passwordless-
sudo-only and air-gap/no-telemetry design decisions are intentional (report a path if you think one is exploitable).Style
Written to
docs/DEVELOPER_DOCUMENTATION_STYLE_GUIDE.md: sentence-case headings, active voice, second person for the reporter, "we" only for genuine team commitments, ISO 8601 dates, no "simply/just/please," evidence over assurances (links toKEYSand the install-guide verification steps). Self-checked clean for forbidden words and spaced em dashes.This PR is the policy. For it to be real, two things need a human:
security@hanalyx.com. A VDP pointing at a dead inbox is worse than none./security/advisories/newlink 404s until then).Also worth a careful read before merge: the safe-harbor and 90-day disclosure terms are real commitments — I drafted them to convention, but I'm not a lawyer; confirm they match Hanalyx's intent.
(The local
docs/context/CISA_SECURE_BY_DESIGN_PLEDGE.mdpledge map is updated to mark goal 5 addressed with these prerequisites pending — gitignored, not in this PR.)🤖 Generated with Claude Code