Skip to content

Add SECURITY.md to enable private vulnerability reporting#515

Open
lihnucs wants to merge 1 commit into
angryip:masterfrom
lihnucs:patch-1
Open

Add SECURITY.md to enable private vulnerability reporting#515
lihnucs wants to merge 1 commit into
angryip:masterfrom
lihnucs:patch-1

Conversation

@lihnucs
Copy link
Copy Markdown

@lihnucs lihnucs commented May 13, 2026

What this PR adds

A SECURITY.md file at the repository root, which:

  • Tells reporters which versions receive security fixes
  • Provides a clear, private channel for submitting vulnerability reports
  • Sets response time expectations (14-day acknowledgement, 90-day disclosure window)
  • Defines what is in and out of scope

Why

Without a SECURITY.md, security reporters have no official channel and
may resort to opening public issues, which exposes vulnerability details
before a fix is available.

Once this file is merged, GitHub will display a "Report a vulnerability"
button on the Security tab, giving reporters a confidential submission path
directly to the maintainers.

One follow-up step for maintainers

After merging, please enable Private vulnerability reporting under:

Settings → Code security and analysis → Private vulnerability reporting → Enable

This activates the "Report a vulnerability" button that the SECURITY.md
references. Without this step the button will not appear.

Notes

  • The [maintainer email] placeholder on line 22 should be replaced with
    a real contact address before or after merging
  • The supported versions table may need updating as new releases are made

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lihnucs