docs: add secirity policy and reporting guidelines

[manikanta-tamminana]

User description

Description

Adds a security policy and vulnerability reporting guidelines for DoubtDesk.

Changes Made

• Added SECURITY.md
• Added supported versions section
• Added responsible vulnerability disclosure instructions
• Added response timeline expectations
• Added Security section to README.md
• Added security reporting guidance to CONTRIBUTING.md

Related Issue

Closes #531

Type of Change

• Documentation update (README, guides, comments)

Screenshots

Not applicable.

How Has This Been Tested?

• Verified documentation changes locally

---

CodeAnt-AI Description

Add security reporting guidance and responsible disclosure instructions

What Changed

• Added a security policy that explains how to report vulnerabilities privately instead of opening public issues
• Listed the kinds of security problems that should be reported, along with the information to include in a report and the expected response timeline
• Added security reporting guidance to the README and contributor instructions

Impact

✅ Clearer vulnerability reporting
✅ Fewer public security disclosures
✅ Faster security triage

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Summary by CodeRabbit

• Documentation
  • Added comprehensive security policy document covering vulnerability reporting procedures, version support status, response timelines, and responsible disclosure practices.
  • Updated README with new security section in table of contents.
  • Updated contributing guide with security issues subsection.

[codeant-ai]

CodeAnt AI is reviewing your PR.

[vercel]

@manikanta-tamminana is attempting to deploy a commit to the Karan Mani Tripathi 's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

This PR establishes a security vulnerability reporting process by adding a SECURITY.md policy document and integrating references to it in the README and contributing guide. The policy specifies responsible disclosure procedures, supported versions, required report contents, expected response timelines, and scope boundaries.

Changes

Security Policy Addition

Layer / File(s)	Summary
Core security policy definition SECURITY.md	Complete security policy defining supported versions (latest only), private vulnerability reporting instructions, required report content, 72-hour acknowledgement timeline, in-scope and out-of-scope issue definitions, and responsible disclosure expectations.
Security policy documentation links README.md, CONTRIBUTING.md	README adds a Table of Contents link and Security section pointing to SECURITY.md; CONTRIBUTING.md adds a Security Issues subsection directing contributors to use SECURITY.md for private vulnerability disclosure instead of public GitHub issues.

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: add secirity policy and reporting guidelines' directly describes the main changes but contains a typo: 'secirity' instead of 'security'.
Linked Issues check	✅ Passed	All coding requirements from issue #531 are met: SECURITY.md created with supported versions, scope, response timeline, reporting instructions, and security guidance added to README.md and CONTRIBUTING.md.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #531 objectives; no out-of-scope modifications detected across SECURITY.md, README.md, and CONTRIBUTING.md.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Technical Review

Hi @manikanta-tamminana! Thank you for your contribution to DoubtDesk.

The code changes look good. Before we can complete the technical review, approve, and merge this pull request, we have one final requirement for all contributors: Please star the DoubtDesk repository.

Once you have starred the repository, please drop a comment here saying "done" (or we will automatically detect it) and we will proceed with approving and merging your PR. Thank you.

[github-actions]

@coderabbitai review

[github-actions]

Hello there! 🎉 Thank you so much for your first pull request to DoubtDesk!

We really appreciate your contribution. A maintainer will review your code soon. If you are participating in GSSoC, ensure your PR is linked to an open issue. Please make sure you have followed all rules in our Contributing Guidelines. Happy coding!

[github-actions]

Hello there! 🎉 Thank you so much for your first pull request to DoubtDesk!

We really appreciate your contribution. A maintainer will review your code soon. If you are participating in GSSoC, ensure your PR is linked to an open issue. Please make sure you have followed all rules in our Contributing Guidelines. Happy coding!

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 18-19: Update the ambiguous sentence "Instead, report the issue
privately to the project maintainers through GitHub or any official
communication channel provided by the maintainers." to name concrete private
reporting channels and make one primary: specify a monitored security email
(e.g., security@<your-domain>.com) and the GitHub Security Advisories URL
(https://github.com/OWNER/REPO/security/advisories) as the preferred paths,
instruct reporters to use those private channels first, and remove/replace the
generic "official communication channel" wording in SECURITY.md.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cad54202-ebbd-48df-bc8a-649fa4425d82

📥 Commits

Reviewing files that changed from the base of the PR and between 9d995bf and 22f9f86.

📒 Files selected for processing (3)

• CONTRIBUTING.md
• README.md
• SECURITY.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Define an explicit private reporting channel (not a generic “official channel”).

The current wording is ambiguous and can still route reports to public/non-triaged paths. Please name at least one concrete private path (e.g., security email and/or GitHub Security Advisories link) and make it the primary instruction.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 18 - 19, Update the ambiguous sentence "Instead,
report the issue privately to the project maintainers through GitHub or any
official communication channel provided by the maintainers." to name concrete
private reporting channels and make one primary: specify a monitored security
email (e.g., security@<your-domain>.com) and the GitHub Security Advisories URL
(https://github.com/OWNER/REPO/security/advisories) as the preferred paths,
instruct reporters to use those private channels first, and remove/replace the
generic "official communication channel" wording in SECURITY.md.

[manikanta-tamminana]

Hi @knoxiboy, I have already starred the repository. The check_star workflow still seems to be failing. Could you please re-run or approve the pending workflows? Thank you.