Skip to content

Add SECURITY.md vulnerability disclosure policy#133

Merged
atimin merged 1 commit into
reductstore:mainfrom
mother-6000:issue-36-security-md-cvd
Jul 1, 2026
Merged

Add SECURITY.md vulnerability disclosure policy#133
atimin merged 1 commit into
reductstore:mainfrom
mother-6000:issue-36-security-md-cvd

Conversation

@mother-6000

Copy link
Copy Markdown
Contributor

PR: Security / Policy / Docs Change

Summary

Adds a standardized repository-level SECURITY.md for reductstore/reduct-cpp aligned with the canonical coordinated vulnerability disclosure policy.

Scope

  • In scope: Repository SECURITY.md with GitHub Security Advisories as the primary reporting channel, security@reduct.store as fallback, the 48-hour acknowledgement SLA, the 90-day coordinated disclosure window, and safe-harbor guidance.
  • Out of scope: Code changes, release automation, advisory publication, or vulnerability triage workflow changes.
  • Impacted docs/areas: SECURITY.md.

Motivation / Context

Part of reductstore/security#36.

This deploys the standardized SECURITY.md deliverable described in the CRA vulnerability disclosure workstream and aligns this repository with the canonical policy drafted in reductstore/security#43.

Risk & Compliance Traceability

  • CRA mapping: Article 11 and Annex I Part II, Requirement 5 (coordinated vulnerability disclosure policy).
  • ISO/IEC 27001 mapping: Not directly mapped in this change.
  • Other references: Canonical policy references ISO/IEC 29147 and ISO/IEC 30111.

Security Impact

  • Threat model impact: Clarifies the private reporting path and disclosure expectations; no product threat model changes.
  • Data impact: No customer data, secrets, or internal URLs included.
  • Operational impact: Standardizes vulnerability intake guidance for this repository.

How to Verify

  • Review SECURITY.md for the required [#35] Support HTTP API v0.7 #36 scope: GitHub Security Advisories primary reporting, security@reduct.store fallback, 48-hour acknowledgement, 90-day coordinated disclosure, safe harbor, and no-public-reporting guidance.
  • Confirm the advisory URL points to reductstore/reduct-cpp.
  • Run git diff --check.

Reviewer Notes

This PR intentionally references the canonical policy path in the reductstore/security repository and is expected to merge alongside or after reductstore/security#43.

Checklist

  • No secrets, credentials, internal URLs, or customer data included.
  • No licensed text pasted verbatim unless permitted.
  • Terminology and identifiers are consistent.
  • Changes are minimal and do not reformat unrelated files.

@atimin atimin merged commit 79f4c0b into reductstore:main Jul 1, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants