Create SECURITY.md for security policy and vulnerability reporting#2130
Create SECURITY.md for security policy and vulnerability reporting#2130lafrej8962-design wants to merge 1 commit into
Conversation
Added a security policy document outlining supported versions and vulnerability reporting.
|
Ascode 🙃 |
Greptile SummaryThis PR introduces a
Confidence Score: 3/5The file should not be merged in its current state — it contains no real information and would actively mislead security researchers about which versions are supported and how to report issues. Both the version table and the vulnerability reporting section are unmodified GitHub template placeholders. The version numbers listed (5.x, 4.x) do not correspond to any real release of this project, and the reporting section gives no contact method, response timeline, or disclosure process whatsoever. Merging this as-is publishes a security policy that cannot be acted upon. SECURITY.md needs the version table replaced with actual project release lines and the reporting section filled in with real contact details and process before this is ready. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Security Researcher Finds Vulnerability] --> B{Consult SECURITY.md}
B --> C[Check Supported Versions table]
C --> D{Version listed?}
D -- "No — table shows 5.x/4.x,\nproject is at 1.x" --> E[❌ Cannot determine if version is supported]
D -- Yes --> F[Follow Reporting Instructions]
F --> G{Instructions provided?}
G -- "No — section is\nplaceholder text only" --> H[❌ No contact info, no process, no response SLA]
G -- Yes --> I[✅ Submit vulnerability report]
Reviews (1): Last reviewed commit: "Create SECURITY.md for security policy" | Re-trigger Greptile |
|
Seemed incomplete and spammy/unwanted PR. |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | 5.1.x | :white_check_mark: | | ||
| | 5.0.x | :x: | | ||
| | 4.0.x | :white_check_mark: | | ||
| | < 4.0 | :x: | |
There was a problem hiding this comment.
The project's current version is 1.11.8 (as declared in package.json), but the table lists versions 5.1.x, 5.0.x, and 4.0.x — none of which exist in this repository. These are the unmodified placeholder values from GitHub's default SECURITY.md template. A security researcher reading this would have no idea which real releases receive patches.
| ## Reporting a Vulnerability | ||
|
|
||
| Use this section to tell people how to report a vulnerability. | ||
|
|
||
| Tell them where to go, how often they can expect to get an update on a | ||
| reported vulnerability, what to expect if the vulnerability is accepted or | ||
| declined, etc. |
There was a problem hiding this comment.
The entire "Reporting a Vulnerability" section is unmodified from the GitHub template ("Use this section to tell people how to report a vulnerability…"). There is no email address, GitHub Security Advisories link, expected response time, or disclosure process. Anyone discovering a vulnerability would have nowhere to report it, defeating the purpose of the file.
|
|
||
| Use this section to tell people about which versions of your project are | ||
| currently being supported with security updates. |
There was a problem hiding this comment.
Lines 5–6 ("Use this section to tell people about which versions…") are GitHub template instructions intended to be replaced by the author, not published verbatim.
2 participants
Added a security policy document outlining supported versions and vulnerability reporting.