Add SECURITY.md for security policy and reporting#8
Add SECURITY.md for security policy and reporting#8Igor Holt (igor-holt) wants to merge 1 commit into
Conversation
Added a security policy document outlining supported versions and vulnerability reporting.
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
q-mcp | 489136b | Jan 20 2026, 03:32 PM |
There was a problem hiding this comment.
Pull request overview
This pull request adds a SECURITY.md file to establish a security policy for the project, including information about supported versions and vulnerability reporting procedures.
Changes:
- Added SECURITY.md file with security policy template
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Use this section to tell people about which versions of your project are | ||
| currently being supported with security updates. | ||
|
|
||
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | 5.1.x | :white_check_mark: | | ||
| | 5.0.x | :x: | | ||
| | 4.0.x | :white_check_mark: | | ||
| | < 4.0 | :x: | |
There was a problem hiding this comment.
The supported versions table appears to use placeholder version numbers (5.1.x, 5.0.x, 4.0.x). These should be replaced with actual project versions that reflect the real versioning scheme of this project. Review the project's release history and update the table accordingly.
| Use this section to tell people about which versions of your project are | |
| currently being supported with security updates. | |
| | Version | Supported | | |
| | ------- | ------------------ | | |
| | 5.1.x | :white_check_mark: | | |
| | 5.0.x | :x: | | |
| | 4.0.x | :white_check_mark: | | |
| | < 4.0 | :x: | | |
| The table below describes which releases currently receive security updates. | |
| | Release type | Supported | | |
| | -------------------- | ------------------ | | |
| | Latest stable release| :white_check_mark: | | |
| | Older releases | :x: | |
| Use this section to tell people how to report a vulnerability. | ||
|
|
||
| Tell them where to go, how often they can expect to get an update on a | ||
| reported vulnerability, what to expect if the vulnerability is accepted or | ||
| declined, etc. |
There was a problem hiding this comment.
This placeholder text should be replaced with actual vulnerability reporting instructions. Include specific contact information (e.g., security email address, GitHub Security Advisories), expected response times, and the process for handling reported vulnerabilities. Without this information, the security policy is not actionable for users who discover vulnerabilities.
| Use this section to tell people how to report a vulnerability. | |
| Tell them where to go, how often they can expect to get an update on a | |
| reported vulnerability, what to expect if the vulnerability is accepted or | |
| declined, etc. | |
| If you believe you have found a security vulnerability in this project, please report it to us as quickly as possible using one of the following options: | |
| - **Email:** Send a detailed report to `security@example.com`. | |
| - **GitHub Security Advisories:** If this project is hosted on GitHub, you may alternatively open a private security advisory from the repository's **Security → Advisories** page. | |
| When reporting a vulnerability, please include: | |
| - A description of the issue and the affected component(s) | |
| - Steps to reproduce, including any proof‑of‑concept code or configuration | |
| - The impact you believe the issue may have | |
| - Any relevant logs, screenshots, or environment details (OS, versions, etc.) | |
| We ask that you **do not** disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and prepare a fix. | |
| ### Response and Disclosure Process | |
| - We aim to acknowledge receipt of vulnerability reports within **3 business days**. | |
| - After initial acknowledgment, we will provide updates at least **every 7 business days** until the issue is resolved or we determine it is not a security vulnerability. | |
| - If we confirm the vulnerability, we will work to develop and publish a fix as soon as reasonably practical, taking into account the severity and complexity of the issue. | |
| - Once a fix is available, we may publish a security advisory and, where appropriate, credit the reporter (unless you request to remain anonymous). | |
| - If we determine that a reported issue is not a security vulnerability, we will explain our reasoning to you. |
|
Copilot open a new pull request to apply changes based on the comments in this thread Copilot |
|
Igor Holt (@igor-holt) I've opened a new pull request, #10, to work on those changes. Once the pull request is ready, I'll request review from you. |
This pull request adds a new
SECURITY.mdfile to the project, establishing a clear security policy and guidance for users and contributors.Security documentation:
SECURITY.mdfile outlining supported versions for security updates and providing instructions for reporting vulnerabilities.Added a security policy document outlining supported versions and vulnerability reporting.