Skip to content

docs: modernize security policy and vulnerability reporting #3660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Siddhazntx wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

docs: modernize security policy and vulnerability reporting #3660

Siddhazntx wants to merge 2 commits into from
+50 −32

Conversation

@Siddhazntx
Copy link

@Siddhazntx Siddhazntx commented Feb 8, 2026

Description
This draft PR proposes an update to SECURITY.md to:

  • Clarify that security updates are provided for the latest tagged release
  • Move away from public GitHub issue reporting for vulnerabilities
  • Encourage coordinated vulnerability disclosure
  • Outline a clearer security reporting and release process

Since security policy involves maintainer-level decisions, this PR is opened as a draft to facilitate discussion and refinement before finalizing implementation.

Open Questions for Maintainers

  1. Should we explicitly support only the latest tagged release, or maintain a version table?
    2.Is there a preferred dedicated security contact email address?
  2. Should we define a specific disclosure timeline, or keep it flexible?

This PR fixes #3655

Notes for Reviewers

  • This PR is opened as a draft to facilitate discussion around security policy.
  • No functional changes — documentation only.
  • Open to revisions based on maintainer feedback.

Signed commits

  • [ x ] Yes, I signed my commits.

MoralCode
MoralCode requested changes Feb 9, 2026
View reviewed changes
SECURITY.md
Comment on lines +34 to +40
### Responsible Disclosure Guidelines

We follow responsible disclosure practices:

- **Embargo Period**: We ask that you allow maintainers a reasonable amount of time to investigate and release a fix before public disclosure.
- **Credit**: We will acknowledge your discovery in security release notes (unless you prefer anonymity)
- **Coordination**: We will work with you to coordinate the disclosure and release timeline
- **No Public Issues**: Please do not create public GitHub issues or pull requests for security vulnerabilities
- **Confidentiality**: We treat all vulnerability reports with strict confidentiality

### Security Release Process

When a security vulnerability is confirmed:

1. A fix is developed and tested
2. A security release is prepared
3. Users are notified via security advisories
4. The vulnerability is publicly disclosed only after the patch is released and available

Thank you for helping keep Augur secure!
Copy link
Contributor

@MoralCode MoralCode Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This process will need confirmation from the maintainers since a lot of this language commits us to doing things

@Siddhazntx Siddhazntx force-pushed the update-security-policy branch 2 times, most recently from 9f2da60 to af891ce Compare February 9, 2026 19:16
@Siddhazntx
docs: modernize security policy and vulnerability reporting
f926cc8 
Signed-off-by: itz-sidd <siddhantofficial002@gmail.com>
@Siddhazntx Siddhazntx force-pushed the update-security-policy branch 2 times, most recently from e6c1651 to ca1bfa8 Compare February 9, 2026 19:35
MoralCode
MoralCode reviewed Feb 9, 2026
View reviewed changes
@Siddhazntx Siddhazntx force-pushed the update-security-policy branch from ca1bfa8 to 154c3a5 Compare February 10, 2026 12:28
MoralCode
MoralCode requested changes Feb 10, 2026
View reviewed changes
SECURITY.md Outdated
Comment on lines 14 to 16
### Private Disclosure Process

If you discover a security vulnerability in Augur, please report it privately:
### Private Disclosure Process
Copy link
Contributor

@MoralCode MoralCode Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this change will make this heading be duplicated

Copy link
Author

@Siddhazntx Siddhazntx Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing that out. I've cleaned up the duplicate heading in SECURITY.md and ensured the text flows properly. I also updated the template with the guidance and AI disclosure we discussed earlier. Is the draft good now !

@MoralCode MoralCode added the discussion Seeking active feedback, usually for items under active development label Feb 10, 2026
@Siddhazntx
security_template
57c70e8 
Signed-off-by: itz-sidd <siddhantofficial002@gmail.com>
@Siddhazntx Siddhazntx force-pushed the update-security-policy branch from 154c3a5 to 57c70e8 Compare February 10, 2026 18:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MoralCode MoralCode MoralCode requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

discussion Seeking active feedback, usually for items under active development

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security policy needs an update

2 participants

@Siddhazntx @MoralCode