bb5346b305
Add comprehensive SECURITY.md covering: - Supported versions policy - Private vulnerability reporting (email + GitHub) - 90-day disclosure window with timelines - CVE assignment via GitHub Security Advisories - In-scope and out-of-scope vulnerability classes - Safe harbor policy for good-faith researchers Add security issue template redirecting users to private reporting. Add Security section to CONTRIBUTING.md and README.md with links to SECURITY.md. Add docs/security/pgp-public-key.asc placeholder with generation instructions. References: bead pdftract-58kz, plan line 3433 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
34 lines
959 B
Text
34 lines
959 B
Text
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
PLACEHOLDER PGP KEY FOR security@jedarden.com
|
|
|
|
This file should contain the actual PGP public key for the pdftract security
|
|
contact email (security@jedarden.com). The key must be:
|
|
|
|
1. A 4096-bit RSA key or equivalent
|
|
2. Associated with the email security@jedarden.com
|
|
3. Published with the fingerprint in README.md and SECURITY.md
|
|
4. Rotated every 2 years
|
|
|
|
To generate this key:
|
|
|
|
gpg --batch --gen-key <<EOF
|
|
Key-Type: RSA
|
|
Key-Length: 4096
|
|
Subkey-Type: RSA
|
|
Subkey-Length: 4096
|
|
Name-Real: pdftract Security
|
|
Name-Email: security@jedarden.com
|
|
Expire-Date: 0
|
|
%no-protection
|
|
%commit
|
|
EOF
|
|
|
|
gpg --armor --export security@jedarden.com > docs/security/pgp-public-key.asc
|
|
|
|
gpg --fingerprint security@jedarden.com # Add this to README.md and SECURITY.md
|
|
|
|
After generating the key, replace this entire file with the output of:
|
|
gpg --armor --export security@jedarden.com
|
|
|
|
-----END PGP PUBLIC KEY BLOCK-----
|