Skip to content

Commit e57d281

Browse files
committed
feat: enhance SECURITY.md with comprehensive vulnerability disclosure policy
- Add supported versions table for all commit-check projects - Add GitHub Security Advisories links as preferred reporting channel - Add detailed vulnerability report template (version, type, PoC, etc.) - Add clear response timeline (48h acknowledge, 5d triage, 14d fix) - Add coordinated disclosure process description - Add PGP key placeholder for future encrypted communication - Add security best practices for users - Add acknowledgments section
1 parent 4a68c86 commit e57d281

1 file changed

Lines changed: 74 additions & 9 deletions

File tree

SECURITY.md

Lines changed: 74 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,86 @@
11
# Security Policy
22

3-
If you find a security vulnerability in any Commit Check project, please report it privately.
3+
The **Commit Check** project takes the security of its software seriously. This document outlines our vulnerability disclosure process and supported versions.
4+
5+
## Supported Versions
6+
7+
Only the **latest** release of each project (`commit-check`, `commit-check-action`, `commit-check-mcp`) receives security patches.
8+
9+
| Project | Supported |
10+
|---------|-----------|
11+
| commit-check (PyPI) | ✅ Latest release only |
12+
| commit-check-action | ✅ Latest release only |
13+
| commit-check-mcp | ✅ Latest release only |
14+
| Older versions | ❌ Not supported |
15+
16+
Please keep your dependencies up to date.
417

518
## Reporting a Vulnerability
619

7-
**Do not open a public GitHub issue.** Instead, send an email to:
20+
**Do not open a public GitHub issue.** If you discover a security vulnerability in any Commit Check project, please report it privately.
21+
22+
### Preferred: GitHub Security Advisories
23+
24+
Use the **"Report a vulnerability"** feature on the relevant repository:
25+
26+
- https://github.com/commit-check/commit-check/security/advisories/new
27+
- https://github.com/commit-check/commit-check-action/security/advisories/new
28+
- https://github.com/commit-check/commit-check-mcp/security/advisories/new
29+
30+
This allows us to triage and patch the issue privately before public disclosure.
31+
32+
### Alternative: Email
33+
34+
If you cannot use the GitHub Security Advisories feature, send an email to:
835

936
**[xianpeng.shen@gmail.com](mailto:xianpeng.shen@gmail.com)**
1037

11-
Please include:
38+
### What to Include
1239

13-
- Which project and version is affected
14-
- A description of the issue and its impact
15-
- Steps to reproduce (or a proof of concept)
40+
Please provide as much of the following information as possible:
1641

17-
You will receive an acknowledgment within 48 hours, followed by a plan for resolution.
42+
- **Project and version** affected (e.g., commit-check v2.15.0)
43+
- **Type of vulnerability** (e.g., arbitrary code execution, denial of service, information disclosure)
44+
- **Description** of the issue and its potential impact
45+
- **Steps to reproduce** or a proof of concept (PoC)
46+
- **Affected components** (e.g., CLI, GitHub Action, MCP Server)
47+
- **Any suggested mitigation** (if known)
1848

19-
## Supported Versions
49+
### What to Expect
50+
51+
| Step | Timeframe |
52+
|------|-----------|
53+
| Acknowledgment | Within 48 hours |
54+
| Initial assessment & triage | Within 5 business days |
55+
| Fix development | Within 14 days (critical issues) |
56+
| Coordinated disclosure | After a patch is released |
57+
58+
We will keep you informed of progress throughout the process.
59+
60+
## Coordinated Disclosure
61+
62+
We believe in responsible disclosure. We will:
63+
64+
1. Work with the reporter to understand and validate the issue
65+
2. Develop and test a fix in a private fork
66+
3. Release a patched version
67+
4. Credit the reporter in the release notes (if they wish)
68+
69+
We ask reporters to give us a reasonable timeframe to address the issue before public disclosure.
70+
71+
## PGP Key
72+
73+
If you need to communicate sensitive information via encrypted email, you can use the following PGP key:
74+
75+
> **Note:** A PGP key will be published here once generated. In the meantime, please use GitHub Security Advisories or the contact email above.
76+
77+
## Security best practices for users
78+
79+
- Always use the **latest version** of Commit Check tools
80+
- Verify artifact attestations when using GitHub Action (we provide SLSA attestation for releases)
81+
- Review commit signatures in sensitive environments
82+
- Use branch protection rules alongside Commit Check
83+
84+
## Acknowledgments
2085

21-
Only the latest release of each project receives security patches. Please keep your dependencies up to date.
86+
We thank the security researchers and community members who responsibly disclose vulnerabilities to us.

0 commit comments

Comments
 (0)