chore(security): rewrite SECURITY.md with SOC2-ready policy

[anandray]

Summary

Adds explicit triage/remediation SLA (critical 7d, high 30d, medium 90d), documents the current scanning toolchain (CodeQL, Scorecard, Trivy, Dependabot, secret scanning), branch protection on develop, and quarterly access reviews. Updates the reporting address from a non-routable security@ alias to anand.ray@rocketride.ai pending shared-mailbox creation.

Refs #760

Type

Testing

• Tests added or updated
• Tested locally
• ./builder test passes

Checklist

• Commit messages follow conventional commits
• No secrets or credentials included
• Wiki updated (if applicable)
• Breaking changes documented (if applicable)

Linked Issue

Fixes #763

Summary by CodeRabbit

• Documentation
  • Security policy rewritten and expanded into a formal vulnerability program.
  • Clarifies supported/unsupported version guidance and case-by-case treatment for critical issues.
  • Introduces an SLA-style "What to Expect" triage table for vulnerability reporting.
  • Adds vulnerability triage details: scanning coverage, listed tools, and two-person dismissal control with documented justification.
  • Replaces disposition language with an explicit disposition table and evidence requirements.
  • Adds branch protection, quarterly access-review guidance, and public disclosure/advisory publication with reporter crediting.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

SECURITY.md was reworked to expand supported-versions guidance, replace SLA bullets with a triage/remediation SLA table, document GitHub-native scanning and alert dismissal flows, standardize triage dispositions, and add develop branch protection, quarterly access reviews, and public disclosure rules.

Changes

SECURITY Policy Update

Layer / File(s)	Summary
Supported Versions SECURITY.md	Updates supported/unsupported version table and notes critical-severity issues in unsupported versions are evaluated case-by-case.
Acknowledgment & SLA Table SECURITY.md	Replaces prior "What to Expect" bullets with a structured acknowledgment and triage/remediation SLA table by severity.
Vulnerability & Alert Triage / Tooling SECURITY.md	Documents GitHub scanning on develop, lists scanning tools/coverage (CodeQL, Scorecard, Trivy, Dependabot, secret scanning, etc.), and maps findings to the GitHub alert dismissal workflow with delegated-dismissal process language.
Triage Dispositions SECURITY.md	Replaces dispositions list with a disposition table that standardizes categories and required evidence capture; updates accepted-risk naming.
Governance Controls SECURITY.md	Adds develop branch protection requirements, quarterly access review guidance and documentation expectations, and public vulnerability disclosure/advisory publication and reporter-crediting rules.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• rocketride-org/rocketride-server#800: Also modifies SECURITY.md to expand vulnerability triage and dismissal policy (two-person control, dispositions, tool handling).
• rocketride-org/rocketride-server#768: Related changes touching repository scanning/CodeQL configuration and GitHub scanning defaults.

Suggested reviewers

• jmaionchi
• Rod-Christensen
• kwit75
• stepmikhaylov

Poem

🐰 In burrows of code I nibble and see,

SLAs like carrots hung tidy on a tree,
Scanners patrol branches where commits softly tread,
Quarterly checks and advisories posted ahead,
I hop off content — safer code, carrot fed.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: rewriting SECURITY.md for SOC2 compliance, which is the primary objective of the PR.
Linked Issues check	✅ Passed	The PR fully implements all coding requirements from issue #763: SLA table, scanning toolchain documentation, branch protection, access reviews, and disposition policy changes.
Out of Scope Changes check	✅ Passed	All changes in SECURITY.md directly support SOC2 CC7.1 compliance and the objectives in issue #763; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop-security-soc2-05052026

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

No description provided.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 9-10: Replace the single-person contact in the SECURITY.md
vulnerability intake section by adding a shared, monitored alias and at least
one backup/escalation mailbox; update the existing "**Email:**
anand.ray@rocketride.ai" line to include a team alias (e.g.,
security@rocketride.ai) and append an "Escalation / Backup" line listing
secondary contacts or rotation procedures, and ensure the "**GitHub Private
Vulnerability Reporting:**" entry references the same monitored alias or
documents the escalation path so intake isn't dependent on one individual.
- Around line 50-51: Replace brittle hard-coded CI check names and fixed
schedule text (e.g., "CI OK", "Analyze (python)", "Analyze
(javascript-typescript)", and the cadence/force-push wording) with a policy
statement referencing "required checks configured in branch protection" and
"security scans configured in GitHub Actions"; remove specific job
names/schedules from SECURITY.md and add a note that exact job names and scan
cadence belong in the operational runbook so audits reference the canonical
config there.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9b0d9a57-942b-43f4-9c3e-d6331a77e433

📥 Commits

Reviewing files that changed from the base of the PR and between 56cf4ef and 4a06aff.

📒 Files selected for processing (1)

• SECURITY.md

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

SECURITY.md (1)

9-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid single-person vulnerability intake dependency.

The primary email path still depends on one individual mailbox, which is a continuity risk for security intake. Add a shared monitored alias and explicit backup/escalation contact in this policy.

Proposed doc update

-- **Email:** anand.ray@rocketride.ai
+- **Email:** security@rocketride.ai (monitored shared mailbox)
+- **Escalation / Backup:** anand.ray@rocketride.ai (until shared mailbox migration is complete)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 9 - 10, Replace the single-person contact in the
SECURITY.md entry that currently shows "**Email:** anand.ray@rocketride.ai" with
a shared, monitored alias (e.g., security@rocketride.ai) and add an explicit
backup/escalation contact line (e.g., "**Escalation contact:**
security-lead@rocketride.ai or PagerDuty/rotation details") next to or below the
existing "**GitHub Private Vulnerability Reporting:**" entry; ensure the text
also notes monitoring/SLAs for the alias and that the original personal mailbox
is listed only as a secondary/backup contact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 14-25: The intake sentence ("We aim to acknowledge reports within
2 business days and provide a triage decision within 5 business days") conflicts
with the severity-specific triage SLAs in the "Triage and Remediation SLA" table
(e.g., Critical = 1 business day); update SECURITY.md to remove ambiguity by
replacing the generic "provide a triage decision within 5 business days" with a
sentence that defers to the table (e.g., "we aim to provide a triage decision
within the timeframes specified in the Triage and Remediation SLA table below"),
or conversely adjust the table to match a single 5-business-day intake
policy—ensure the intake line explicitly references the table and keep the table
rows (Critical/High/Medium/Low) consistent with that choice so auditors can
unambiguously determine applicable triage SLAs.
- Line 46: Update the sentence that refers to GitHub to use the canonical
capitalization "GitHub" (capital G and H) instead of any other casing; locate
the line containing "Tool configuration, cadence, and exact workflow names are
maintained in `.github/workflows/` and the repository's security settings —
refer to those as the source of truth." and change the product name to "GitHub"
for consistency with official naming.

---

Duplicate comments:
In `@SECURITY.md`:
- Around line 9-10: Replace the single-person contact in the SECURITY.md entry
that currently shows "**Email:** anand.ray@rocketride.ai" with a shared,
monitored alias (e.g., security@rocketride.ai) and add an explicit
backup/escalation contact line (e.g., "**Escalation contact:**
security-lead@rocketride.ai or PagerDuty/rotation details") next to or below the
existing "**GitHub Private Vulnerability Reporting:**" entry; ensure the text
also notes monitoring/SLAs for the alias and that the original personal mailbox
is listed only as a secondary/backup contact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 65f11f34-efb7-43be-9a70-253c0d62366c

📥 Commits

Reviewing files that changed from the base of the PR and between 4a06aff and 17b7c27.

📒 Files selected for processing (1)

• SECURITY.md

[coderabbitai]

♻️ Duplicate comments (2)

SECURITY.md (2)

46-46: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

GitHub capitalization still needs correction.

Line 46 should use "GitHub security settings" (capital H) for consistency with official product naming in compliance documentation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` at line 46, Update the phrase in SECURITY.md that currently
reads "the repository's security settings" to "the repository's GitHub security
settings" so "GitHub" is capitalized; locate the sentence containing
".github/workflows/ and the repository's security settings" and replace it with
".github/workflows/ and the repository's GitHub security settings" to ensure
consistent official product naming.

---

9-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Single-person vulnerability intake channel remains unresolved.

The individual mailbox (anand.ray@rocketride.ai) creates a continuity risk for SOC2 security incident intake. The PR description acknowledges this is temporary pending a shared mailbox, but the policy should not go live for audit evidence until a monitored team alias or backup escalation path is in place.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 9 - 10, Replace the single-person intake address
"anand.ray@rocketride.ai" with a monitored team alias and add a backup
escalation path in the SECURITY.md contact section; update the "GitHub Private
Vulnerability Reporting" note to reference the team mailbox (or both the team
alias and the individual as secondary) and document the alternate escalation
contact and monitoring details so the policy shows a shared, monitored channel
and a backup for SOC2 evidence.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@SECURITY.md`:
- Line 46: Update the phrase in SECURITY.md that currently reads "the
repository's security settings" to "the repository's GitHub security settings"
so "GitHub" is capitalized; locate the sentence containing ".github/workflows/
and the repository's security settings" and replace it with ".github/workflows/
and the repository's GitHub security settings" to ensure consistent official
product naming.
- Around line 9-10: Replace the single-person intake address
"anand.ray@rocketride.ai" with a monitored team alias and add a backup
escalation path in the SECURITY.md contact section; update the "GitHub Private
Vulnerability Reporting" note to reference the team mailbox (or both the team
alias and the individual as secondary) and document the alternate escalation
contact and monitoring details so the policy shows a shared, monitored channel
and a backup for SOC2 evidence.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: beb1c5f9-7635-4dc9-bb9c-b81280596105

📥 Commits

Reviewing files that changed from the base of the PR and between 17b7c27 and 370fc28.

📒 Files selected for processing (1)

• SECURITY.md

[anandray]

Conflict resolved. Force-pushed 7893224a replacing the previous three commits with a single integrated rewrite on top of current develop (which now includes PR #800's "Vulnerability & Alert Triage" section).

What's preserved from #800 (already on develop):

• Two-Person Control on Alert Dismissals (request → approval-by-different-authorized-reviewer → auto-dismiss)
• Secret Scanning Push Protection vs alert-dismissal distinction
• Dependabot sub-bullets
• Scorecard-as-code-scanning-alert clarification

What this PR now adds on top:

• Scanning Tools and Coverage subsection — CodeQL (Python, JS/TS, C/C++), Scorecard, Trivy, Dependabot, Secret Scanning + Push Protection. Defers to .github/workflows and repo settings as source of truth.
• Branch Protection (develop) section — code-owner approval, required checks, force-push/deletion disallowed, linear history, stale reviews dismissed, admin bypass disabled.
• Access Reviews section — quarterly review of org members, outside collaborators, owners, and 2FA compliance.
• Public Vulnerability Disclosure section — advisory publication policy.
• Triage and Remediation SLA table — business days for triage / calendar days for remediation; replaces the prose SLA list previously on develop.
• "Critical-severity issues in unsupported versions evaluated case-by-case" note on Supported Versions.

Naming reconciliation in the Triage Dispositions table:

• Fix → Fixed (past tense matches closed-alert state)
• Won't fix → Accepted risk (better SOC2 terminology; now requires named approver, rationale, and re-evaluation date)

Reporting email: stays security@rocketride.ai — the shared mailbox now exists.

CodeRabbit will re-review on the new SHA.