jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/notes/pdftract-58kz.md
jedarden 5f656c99f8 docs(pdftract-58kz): add verification note 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-20 19:39:55 -04:00

3.2 KiB
Raw Blame History

pdftract-58kz Verification Note

Task

SECURITY.md — security@jedarden.com + 90-day disclosure window + private vuln reporting

Work Completed

Files Created/Modified

  1. SECURITY.md (created)

    • All 6 required sections present and complete:
      • Supported Versions (latest/previous minor support policy)
      • Reporting a Vulnerability (email + GitHub private reporting)
      • Disclosure Window (48h ack, 5 business days triage, 90-day fix window)
      • CVE Assignment (via GitHub Security Advisories)
      • Scope (in-scope: RCE, path traversal, SSRF, auth bypass; out-of-scope: DoS, deployment headers, upstream vulns)
      • Safe Harbor (adapted from Disclose.io template)

  2. docs/security/pgp-public-key.asc (created)

    • Placeholder with generation instructions
    • Specifies 4096-bit RSA key requirements
    • Documents 2-year rotation policy

  3. .github/ISSUE_TEMPLATE/security.md (created)

    • Redirects users to private reporting channels
    • Links to SECURITY.md for full policy

  4. CONTRIBUTING.md (modified)

    • Added Security section with responsible disclosure
    • Links to SECURITY.md for full disclosure policy

  5. README.md (modified)

    • Added Security section with security@jedarden.com link
    • Added PGP key reference with placeholder note
    • Added Verifying Releases section (pre-existing, confirmed)

Commit

Acceptance Criteria Status

Criterion Status Notes
SECURITY.md exists with all six sections PASS All sections complete
security@jedarden.com alias set up and monitored WARN Infrastructure task; requires email admin
PGP key published with fingerprint in README WARN Placeholder with instructions; key generation requires security@jedarden.com to exist
GitHub Community Standards check green WARN Cannot verify from CLI; requires GitHub UI
Test report acknowledged within 48h WARN Infrastructure task; requires security@jedarden.com to be operational
Linked from README, CONTRIBUTING.md, issue template PASS All three link to SECURITY.md

WARN Items Justification

The WARN items are infrastructure-dependent and outside the scope of code/documentation changes:

  1. security@jedarden.com email alias: Requires email infrastructure setup and forwarding configuration. The documentation references this alias and provides the policy for when it's operational.

  2. PGP key generation: Requires the security@jedarden.com email to exist before generating a key tied to that address. The placeholder includes complete generation instructions.

  3. GitHub Community Standards check: Requires manual verification in GitHub repository settings (not accessible via CLI).

  4. 48-hour acknowledgement test: Requires the email alias to be operational to send a test report to.

References

  • Plan section: Release Engineering / Contributor Workflow, line 3433
  • OpenSSF Scorecard vulnerabilities check
  • Disclose.io safe-harbor template
  • GitHub Security Advisories docs