Skip to content

docs: add SECURITY.md security policy#111

Merged
rubenhensen merged 1 commit into
mainfrom
docs/security-policy
Jul 1, 2026
Merged

docs: add SECURITY.md security policy#111
rubenhensen merged 1 commit into
mainfrom
docs/security-policy

Conversation

@rubenhensen

Copy link
Copy Markdown
Contributor

Closes #102.

Adds a SECURITY.md responsible-disclosure policy. GitHub surfaces it in the repo's Security tab and the "Report a vulnerability" flow, so external researchers have a documented, private way to report issues instead of opening public issues.

What's in it

  • Reporting channels — GitHub private vulnerability reporting as the primary channel (now enabled on the repo), with info@postguard.eu as an email fallback.
  • What to expect — a 5-business-day acknowledgement target and coordinated disclosure.
  • Supported versions — reflects the continuous-release model (fixes on main / latest release; no backports to older tags).
  • Scope — in scope: this repo's app + published image; out of scope: the Yivi/IRMA infrastructure (→ privacybydesign), upstream dependency issues, demo/seed data, and physical/social-engineering/DoS findings.

Please sanity-check the 5-business-day target and the out-of-scope list against how the team actually wants to handle reports — both are easy to adjust.

@dobby-coder

dobby-coder Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

On it, @rubenhensen! I'll review the SECURITY.md policy PR now and post a consolidated review with my verdict.

@rubenhensen rubenhensen merged commit 88884cb into main Jul 1, 2026
14 checks passed
@rubenhensen rubenhensen deleted the docs/security-policy branch July 1, 2026 11:15

@dobby-coder dobby-coder Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧦 Reviewed — approving.

Content review: Verified every factual claim in SECURITY.md against the repo. The SvelteKit app + server endpoints + published Docker image description is accurate, the edge image tag matches ci.yml (type=edge,branch=main), the *.example.nl fixtures exist (acme/shared.example.nl in seed.ts and legacy-api-keys.test.ts), and the advisory URL path is correct. No broken links or inaccurate claims.

Rule compliance: Ran the full rule set (org rules + postguard-business repo rules) against the diff — no violations. Docs-only change (single new file, no runtime behaviour), so tests were not required. PR title docs: add SECURITY.md security policy follows conventional-commit format.

One non-blocking note echoing the author: the 5-business-day ack target and the out-of-scope list are policy choices worth a maintainer sanity-check, but neither blocks merge.

@dobby-coder

dobby-coder Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Reviewed and approved! 🟢 No findings — all factual claims check out against the repo, and the PR passes the full org/postguard-business rule set.

One non-blocking note I left on the review: worth a quick sanity-check that the 5-business-day acknowledgement target is realistic given your current team bandwidth, and that the out-of-scope list covers everything you intend to exclude.

Otherwise this looks great — nice to have a proper responsible-disclosure policy in place. 🔒

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: add SECURITY.md (responsible-disclosure policy)

1 participant