Skip to content

docs(security): add SECURITY.md security policy#473

Merged
rejifald merged 2 commits into
mainfrom
worktree-security-md
Jul 13, 2026
Merged

docs(security): add SECURITY.md security policy#473
rejifald merged 2 commits into
mainfrom
worktree-security-md

Conversation

@rejifald

Copy link
Copy Markdown
Owner

What

Adds a repository security policy at the repo root (SECURITY.md), where GitHub's Security tab and the new-issue flow surface it. The repo previously shipped without one, so GitHub's community-standards check flagged it missing and vulnerability reporters had no documented private channel.

Contents

  • Supported versions — latest 1.0.x / 1.0.0-rc.x receive security fixes; 0.x does not.
  • Private reporting — GitHub private vulnerability reporting (already enabled on this repo) as the preferred channel, maintainer email as fallback; explicit "do not open a public issue."
  • What to expect — 3-business-day acknowledgement, ~90-day coordinated fix/disclosure, reporter credit, short good-faith safe-harbor statement.
  • Scope — tuned to StitchAPI's real risk surface (credential leakage, OpenAPI codegen injection, playground sandbox / egress-confinement escape, SSRF/ReDoS), plus an out-of-scope list to filter scanner noise.

Why

Clears one of the v1.0 GA-cut checklist items (see docs/RELEASE.md and the GA blockers).

Notes

  • Docs only — no code changes.
  • Prettier-clean; full local pre-push suite (format, lint, contract, typecheck, tests, build-docs, yakir) green.

🤖 Generated with Claude Code

rejifald and others added 2 commits July 13, 2026 19:24
Repo security policy: supported-version window, private vulnerability
reporting (GitHub advisories preferred, email fallback), triage and
coordinated-disclosure expectations, and a StitchAPI-specific scope
(credential leakage, OpenAPI codegen injection, playground sandbox
escape). Clears a v1.0 GA-cut checklist item.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Acknowledge within 48h (was 3 business days) and frame fixes by severity
rather than a 90-day figure that read as "we'll take 3 months". Reword the
out-of-scope application-code item to describe root cause instead of
"your own ... merely uses".

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@rejifald rejifald merged commit 02b5cfe into main Jul 13, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant