bb5346b305
Add comprehensive SECURITY.md covering: - Supported versions policy - Private vulnerability reporting (email + GitHub) - 90-day disclosure window with timelines - CVE assignment via GitHub Security Advisories - In-scope and out-of-scope vulnerability classes - Safe harbor policy for good-faith researchers Add security issue template redirecting users to private reporting. Add Security section to CONTRIBUTING.md and README.md with links to SECURITY.md. Add docs/security/pgp-public-key.asc placeholder with generation instructions. References: bead pdftract-58kz, plan line 3433 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1.2 KiB
1.2 KiB
| name | about | title | labels |
|---|---|---|---|
| Security Vulnerability | Report a security vulnerability privately | [SECURITY] | security |
Security Vulnerability Report
IMPORTANT: This issue template is for reference only. Do NOT submit a public issue for security vulnerabilities.
Security vulnerabilities must be reported through private channels only:
-
Email (preferred): security@jedarden.com
- PGP-encrypted emails are strongly encouraged
- PGP key:
docs/security/pgp-public-key.asc - PGP key fingerprint: See README.md
-
GitHub Private Vulnerability Reporting:
- Use the Security tab
- This provides a private discussion forum
See SECURITY.md for details on our disclosure process, supported versions, and safe harbor policy.
Why not a public issue?
- Public issues expose vulnerabilities to attackers before a fix is available
- We need time to prepare patches for supported versions
- We coordinate with downstream packagers (Homebrew, distros) before disclosure
Thank you for helping keep pdftract secure!