docs: add SECURITY.md security policy#111
Conversation
|
On it, @rubenhensen! I'll review the SECURITY.md policy PR now and post a consolidated review with my verdict. |
There was a problem hiding this comment.
🧦 Reviewed — approving.
Content review: Verified every factual claim in SECURITY.md against the repo. The SvelteKit app + server endpoints + published Docker image description is accurate, the edge image tag matches ci.yml (type=edge,branch=main), the *.example.nl fixtures exist (acme/shared.example.nl in seed.ts and legacy-api-keys.test.ts), and the advisory URL path is correct. No broken links or inaccurate claims.
Rule compliance: Ran the full rule set (org rules + postguard-business repo rules) against the diff — no violations. Docs-only change (single new file, no runtime behaviour), so tests were not required. PR title docs: add SECURITY.md security policy follows conventional-commit format.
One non-blocking note echoing the author: the 5-business-day ack target and the out-of-scope list are policy choices worth a maintainer sanity-check, but neither blocks merge.
|
Reviewed and approved! 🟢 No findings — all factual claims check out against the repo, and the PR passes the full org/postguard-business rule set. One non-blocking note I left on the review: worth a quick sanity-check that the 5-business-day acknowledgement target is realistic given your current team bandwidth, and that the out-of-scope list covers everything you intend to exclude. Otherwise this looks great — nice to have a proper responsible-disclosure policy in place. 🔒 |
Closes #102.
Adds a
SECURITY.mdresponsible-disclosure policy. GitHub surfaces it in the repo's Security tab and the "Report a vulnerability" flow, so external researchers have a documented, private way to report issues instead of opening public issues.What's in it
main/ latest release; no backports to older tags).Please sanity-check the 5-business-day target and the out-of-scope list against how the team actually wants to handle reports — both are easy to adjust.