docs(security): rewrite SECURITY.md with scope, SLA, severity table, and advisory template#1222
Merged
miss-yusrah merged 2 commits intoJun 28, 2026
Conversation
…add advisory template
|
@V1ctor-o Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Complete rewrite of
docs/reference/SECURITY.md, which previously only described a generic vulnerability disclosure policy with a placeholder contact ([INSERT SECURITY EMAIL OR TG HANDLE]) and no scope, SLA, or severity definitions. Adds a new.github/SECURITY_ADVISORY_TEMPLATE.mdfor use with GitHub's private vulnerability reporting feature.What changed
Scope (new)
Explicit in-scope / out-of-scope lists, VaultDAO-specific rather than generic:
AUDIT_SCOPE.md, and devnet-only issues that don't reflect real network behavior.Reporting process (new)
SECURITY.md(they're independent; one doesn't imply the other is configured).[MAINTAINER ACTION REQUIRED]placeholder rather than a fabricated address, since no real security contact exists anywhere in this repo today (same gap as the existing placeholder inCODE_OF_CONDUCT.md).Response SLA (new)
Calibrated against this repo's actual activity (checked: 169 unique contributors, 1,475 commits, 84 in the last 7 days) rather than picked arbitrarily:
Deliberately does not promise sub-48-hour acknowledgement or guaranteed same-day fixes — the issue explicitly asked for realistic SLAs, and given how many structural bugs were found by hand across the last few PRs in this codebase, overpromising here seemed like the wrong call.
Severity classification table (new)
Critical / High / Medium / Low, each with a real, already-documented VaultDAO finding as the worked example (not generic web-security examples):
AUDIT_SCOPE.md§1.6)AUDIT_SCOPE.md§1.3)AUDIT_SCOPE.md§1.4)i128arithmetic with nooverflow-checksin the release profile (AUDIT_SCOPE.md§1.5)Every
AUDIT_SCOPE.mdsection reference was checked against the actual file before inclusion.Responsible disclosure timeline (new)
Report → acknowledge → triage → fix → coordinated disclosure (default 30 days after fix ships) → public disclosure/CVE request, plus how an actively-exploited report changes the timeline.
Bug bounty section (new, explicitly TBD per issue instructions)
States plainly that no funded bounty program exists yet, what we can commit to today (public credit), and the four concrete things maintainers need to decide (qualifying severities, reward amounts, payment method, whether already-known
AUDIT_SCOPE.mdfindings are bounty-eligible) before announcing one — rather than implying a program exists with vague placeholder numbers.GitHub Security Advisory template (new file:
.github/SECURITY_ADVISORY_TEMPLATE.md)A copy-paste template for the description field of GitHub's native private vulnerability report form. Not placed under
.github/ISSUE_TEMPLATE/deliberately — vulnerability reports shouldn't be public issue templates, since that would defeat private disclosure.Known gap — needs a maintainer action, not a code/doc fix
The email backup channel is left as an explicit placeholder (
[MAINTAINER ACTION REQUIRED]) rather than a fabricated address. Whoever has repo admin access should either:I can't verify from outside the repo whether private vulnerability reporting is currently enabled — the doc includes a note telling readers how to tell, and instructs whoever enables it to remove that note once it's done.
Verification
AUDIT_SCOPE.mdsection cross-references checked against the actual file contentNotes for reviewers
This is a documentation-only PR; no code changes. The one outstanding item (private vulnerability reporting toggle) is a repository setting only an org/repo admin can change — it's called out explicitly in the doc itself so it doesn't get silently missed.
Closes #1179