docs: enhance security policy with scope, severity ratings and response timelines

[tejas0077]

#What does this PR do?
Enhances the SECURITY.md with a comprehensive security
policy aligned with ISO/IEC 27001:2022 standards.

Changes made:

• Added clear In Scope / Out of Scope sections
• Added response timeline table
• Added severity rating table (CVSS v3.1 + ISO 27001 aligned)
• Added Hall of Fame section for researchers
• Added responsible disclosure commitment
• Updated formatting for clarity

Why?

As an ISO 27001 Lead Auditor, I noticed the existing policy
lacked scope definition, severity classifications, and clear
response timelines — all critical components of a mature
security disclosure policy.

#References

• ISO/IEC 27001:2022
• CVSS v3.1 Scoring Standard

---

Summary by cubic

Enhances SECURITY.md to align with ISO/IEC 27001:2022 by defining scope, CVSS v3.1 severity ratings, and clear response timelines. Also cleans up disclosure instructions and removes the legacy policy block.

• New Features
  • Defined in-scope and out-of-scope targets.
  • Set response timelines (48h ack, 5d assessment, 30/90d resolution).
  • Added severity ratings aligned with CVSS v3.1 and ISO 27001.
  • Improved disclosure process: added a “what to include” checklist, supported versions table, responsible disclosure and Hall of Fame; removed legacy policy content.

^{Written for commit 46299ad. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="SECURITY.md">

<violation number="1" location="SECURITY.md:96">
P1: SECURITY.md contains an accidentally appended legacy policy block, causing conflicting disclosure instructions and outdated metadata.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[SachaProbo]

Thanks for your PR, but we don't want to change our security policy for now.

[tejas0077]

Thanks for the feedback Sacha!
Completely understood — happy to contribute
in other ways.

Just raised PR #822 adding missing ISO 27001
aligned risks to the risk library.
Hope that's more useful!