Skip to content

docs: add SECURITY.md (first public security policy)#19

Merged
Terastar-Paperclip merged 1 commit into
mainfrom
chore/security-md-initial
May 19, 2026
Merged

docs: add SECURITY.md (first public security policy)#19
Terastar-Paperclip merged 1 commit into
mainfrom
chore/security-md-initial

Conversation

@Terastar-Paperclip

@Terastar-Paperclip Terastar-Paperclip commented May 19, 2026

Copy link
Copy Markdown
Contributor

First-of-its-kind public security policy for the quantcli org. The text was approved by the board under approval 6493bc0c on 2026-05-10.

What's in it

  • Private vulnerability reporting via GitHub private advisories and security@quantcli.org (PGP key forthcoming).
  • Response SLA — 5 business days to acknowledge, 10 to assess, best-effort fix; 90-day default disclosure window, coordinated with reporter.
  • Supported branches — latest minor of each CLI on main; older releases not patched.
  • Supply-chain policy documenting the CI gate that landed in chore(ci): supply-chain security workflow + harden ci.yml #5 (govulncheck + osv-scanner + license allowlist), with the explicit SPDX allow/denylist.
  • What's deliberately not here yet — signed releases, SBOM publishing, threat model, pen test. Tracked as follow-ups; not pretending we have what we don't.

Why now

The CI gate that landed in #5 references SECURITY.md from CONTRIBUTING.md and from a license-policy failure message. Lead Go's review on #5 accepted that one-cycle gap on condition that SECURITY.md ships next. This is that next PR.

Source

Text matches the body of approval 6493bc0c-54dd-470f-9644-1480c267221e (full text in the approval payload) — no drift between what the board approved and what's being merged.

Test plan

  • CONTRIBUTING.md anchor (SECURITY.md) resolves once this lands on main.
  • .github/workflows/security.yml error messages now point at a real file.
  • No other references to add — README + CONTRACT.md don't currently link SECURITY.md (CommunityManager can plumb those later if useful).

Tracks: QUA-7 (acceptance criterion: SECURITY.md merged after CEO confirmation).

@Paperclip-Paperclip
docs: add SECURITY.md (vuln reporting + supported branches + supply-c…
4e316c9 
…hain policy)

First-of-its-kind public security policy for the quantcli org. Covers:

- Private vulnerability reporting via GitHub private advisories and
  security@quantcli.org, with a 5-business-day acknowledgement SLA
  and 90-day default disclosure window.
- Supported-branch policy (latest minor on main of each CLI).
- Supply-chain CI gate (govulncheck + osv-scanner + license allowlist)
  matching what landed in #5.
- What's intentionally not in scope yet (signed releases, SBOMs,
  full threat model, pen test).

Text approved by board under approval
6493bc0c-54dd-470f-9644-1480c267221e on 2026-05-10.

Resolves the dead anchor that landed temporarily in #5 (CONTRIBUTING.md
and security.yml error messages both reference SECURITY.md) — Lead Go
review accepted the one-cycle gap; this PR closes it.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
@Terastar-Paperclip Terastar-Paperclip enabled auto-merge (squash) May 19, 2026 11:42
@Terastar-Paperclip Terastar-Paperclip merged commit 1a4e9ff into main May 19, 2026
7 checks passed
@Terastar-Paperclip Terastar-Paperclip deleted the chore/security-md-initial branch May 19, 2026 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DTTerastar DTTerastar DTTerastar approved these changes

Assignees

@DTTerastar DTTerastar

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Terastar-Paperclip @DTTerastar