Skip to content

chore: add SECURITY.md (private vulnerability reporting policy)#591

Merged
yanhom1314 merged 2 commits into
dromara:masterfrom
eddieran:chore/security-policy
Jun 7, 2026
Merged

chore: add SECURITY.md (private vulnerability reporting policy)#591
yanhom1314 merged 2 commits into
dromara:masterfrom
eddieran:chore/security-policy

Conversation

@eddieran

@eddieran eddieran commented May 9, 2026

Copy link
Copy Markdown
Contributor

Why

dynamic-tp currently has no SECURITY.md. GitHub's Security tab shows the "Suggest a security policy" prompt for exactly this case. This PR is that suggestion.

What

Adds a draft SECURITY.md at the repo root, modelled on GitHub's standard template with sections tailored for a runtime thread-pool / config-center / notification framework (so the in-scope list highlights notifier SSRF, deserialization in config-loaders, etc.).

The most important part is documenting a private reporting channel so security researchers can responsibly disclose findings without having to choose between staying silent and posting to a public issue. The draft points at GitHub's Private Vulnerability Reporting (PVR) feature as the preferred channel, with an email fallback that maintainers can fill in.

Suggested action by maintainers after merge:

  1. Enable PVR via Settings → Code security → Private vulnerability reporting → Enable. Free for public repos.
  2. Optionally edit the email fallback in SECURITY.md to point at the maintainer's preferred address.

Sections in the draft:

  • Reporting a vulnerability (PVR + email fallback)
  • What to include
  • Scope and supported versions (with explicit out-of-scope examples to reduce triage burden)
  • Process / SLA / hall-of-fame

Maintainers should feel free to edit any section — the important thing is that a private channel exists.

Companion issue

See #590 for the request to enable PVR. This PR is the SECURITY.md half; merging this and enabling PVR together unblocks structured private disclosure.

Thanks for considering!

Adds a draft security policy modeled on GitHub's 'Suggest a security
policy' workflow. The most important part is documenting a private
reporting channel so researchers can responsibly disclose findings.

Maintainers should feel free to edit any section.
@KamToHung

Copy link
Copy Markdown
Collaborator

Great

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a repository-level security policy document (SECURITY.md) to enable/encourage responsible disclosure via private channels, aligning the repo with GitHub’s “Suggest a security policy” workflow and supporting Private Vulnerability Reporting (PVR).

Changes:

  • Add a new SECURITY.md describing how to report vulnerabilities (PVR + email fallback).
  • Document what details to include in a report, plus scope/out-of-scope examples.
  • Define a suggested disclosure process and optional recognition section.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread SECURITY.md Outdated
Comment thread SECURITY.md
Comment on lines +50 to +53
1. A maintainer will acknowledge receipt within roughly 1 week.
2. We'll triage the report: confirm severity, scope, and reproducibility.
3. We'll work with you on a fix and a coordinated disclosure timeline (typically up to 90 days, longer if the fix is structural).
4. On publication, we credit you in the advisory unless you ask not to be credited.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@yanhom1314 yanhom1314 merged commit 62fd118 into dromara:master Jun 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants