From 4e316c9e9a5bea3876649049767c373e6f062e2d Mon Sep 17 00:00:00 2001 From: QualitySecurity Date: Tue, 19 May 2026 07:41:09 -0400 Subject: [PATCH] docs: add SECURITY.md (vuln reporting + supported branches + supply-chain policy) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit First-of-its-kind public security policy for the quantcli org. Covers: - Private vulnerability reporting via GitHub private advisories and security@quantcli.org, with a 5-business-day acknowledgement SLA and 90-day default disclosure window. - Supported-branch policy (latest minor on main of each CLI). - Supply-chain CI gate (govulncheck + osv-scanner + license allowlist) matching what landed in #5. - What's intentionally not in scope yet (signed releases, SBOMs, full threat model, pen test). Text approved by board under approval 6493bc0c-54dd-470f-9644-1480c267221e on 2026-05-10. Resolves the dead anchor that landed temporarily in #5 (CONTRIBUTING.md and security.yml error messages both reference SECURITY.md) — Lead Go review accepted the one-cycle gap; this PR closes it. Co-Authored-By: Paperclip --- SECURITY.md | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..d9b9268 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,73 @@ +# Security policy + +This document covers the [quantcli](https://github.com/quantcli) family of open-source CLIs: `common`, `crono-export-cli`, `liftoff-export-cli`, `withings-export-cli`, and any future `*-export-cli` that adopts the [contract](CONTRACT.md). + +## Reporting a vulnerability + +**Please do not open a public GitHub issue for security reports.** Public issue threads are searchable from the day they are filed; we'd rather give the project a chance to ship a fix before the issue is widely known. + +Report security issues privately via: + +- GitHub's private vulnerability reporting at , or +- Email to `security@quantcli.org` (PGP key forthcoming). + +Include: + +- The repository and version affected (or `main` and a commit SHA). +- A description of the issue and the impact you observed. +- A minimal reproduction — command-line invocation, sample input, the unexpected behaviour. +- Your name/handle for credit in the eventual advisory, if you want it. + +**Out of scope:** + +- Vulnerabilities in the upstream services these CLIs talk to (Cronometer, Liftoff, Withings, etc.). Report those to the upstream vendor. +- Reports that depend on an attacker already having local code execution on the user's machine. +- Reports relying on outdated dependencies in a release older than the currently supported version range. + +## Response SLA + +- **Acknowledgement:** within 5 business days. +- **Initial assessment** (severity + whether it's in scope): within 10 business days of acknowledgement. +- **Fix or mitigation** for confirmed vulnerabilities: best effort. Critical issues in supported releases are prioritised; low-severity issues may be batched into a regular release. + +We coordinate disclosure with the reporter. Default disclosure timeline is **90 days** from the initial report, or earlier if a fix is available and shipped. + +## Supported branches + +We patch the **latest minor release of each CLI** on its `main` branch. Older releases are not patched; users on older versions should upgrade. + +`quantcli/common` defines the contract; it is patched on `main`. If a change to the contract is required to resolve a vulnerability, it follows the contract-change flow described in [CONTRIBUTING.md](CONTRIBUTING.md), with the security review fast-tracked. + +## Supply-chain policy + +Every PR — in `common` and in every `*-export-cli` — is gated on a CI workflow that runs three checks: + +- `govulncheck` against the Go vulnerability database. +- `osv-scanner` for transitive vulnerabilities across the OSV database. +- A license-policy check that allowlists only permissive licenses. + +**License allowlist** (SPDX identifiers): + +- `Apache-2.0` +- `MIT` +- `BSD-2-Clause` +- `BSD-3-Clause` +- `MPL-2.0` +- `ISC` +- `Unlicense` + +**License denylist** (blocking; not exhaustive): + +- The GPL family — `GPL-*`, `LGPL-*`, `AGPL-*`. +- `SSPL-*`, `BUSL-*` / `BSL-*`, and other "source-available" licenses. +- "Custom" or unidentified licenses where the SPDX identifier cannot be resolved. + +A PR that introduces a denied license is blocked. To request an exception, open an issue against `quantcli/common` with the dependency name, version, license text, and the rationale. Exceptions are rare and case-by-case. + +## What's not in this policy yet + +- **Signed releases / SBOM publishing.** Useful next steps; tracked as separate follow-up tickets, not yet shipped. +- **Threat model write-up.** The product surface is intentionally small (local CLIs, user owns their tokens), so a full threat model is premature. We will publish one if the surface grows materially. +- **Pen test.** Not commissioned for the current product surface. + +If the policy itself needs to change — to add a category of scan, to adjust the allowlist, to revise the disclosure timeline — open a PR against this file in `quantcli/common`. Policy changes ripple across every export-cli and are reviewed accordingly.