Skip to content

Proposed SECURITY.md file for veraPDF projects#727

Open
carlwilson wants to merge 1 commit intointegrationfrom
propeosed-security-policy
Open

Proposed SECURITY.md file for veraPDF projects#727
carlwilson wants to merge 1 commit intointegrationfrom
propeosed-security-policy

Conversation

@carlwilson
Copy link
Copy Markdown
Collaborator

@carlwilson carlwilson commented Apr 2, 2026
edited by coderabbitai bot
Loading

Adding a Security policy file, inspired by #725 thanks to @acornall. The proposed policy has been altered to take the EU's Cyber Resilience Act into consideration.

Summary by CodeRabbit

  • Documentation
    • Added a comprehensive security policy detailing vulnerability reporting procedures (private email and GitHub options), response timelines with acknowledgment within 5 business days, severity-based fix schedules, coordinated disclosure protocols, and public disclosure guidelines. Confirms no legal action will be taken against good-faith researchers following the policy.

@carlwilson
Proposed SECURITY.md file for veraPDF projects
ac5812f 
Adding a Security policy file, inspired by #725 thanks to @acornall
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 2, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds SECURITY.md defining OPF's vulnerability disclosure policy, including private reporting channels, response timelines, assessment procedures, coordinated disclosure processes, and regulatory compliance guidelines for maintained products and libraries.

Changes

Cohort / File(s) Summary
Security Policy
SECURITY.md		 New security policy document establishing vulnerability reporting procedures, response commitments (5 business day acknowledgment, coordinated disclosure), timeline milestones, severity-based fix targets, out-of-scope categories, public disclosure steps, and CRA regulatory reporting requirements.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A warren's walls grow ever strong,
With shields of words both clear and long,
Where troubles lurk, we listen well—
Report in trust, no need to tell!
Safe disclosure marks our way,
As vulnerabilities meet the day. 🛡️

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically identifies the main change: adding a new SECURITY.md file to the veraPDF projects repository.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch propeosed-security-policy

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@carlwilson carlwilson mentioned this pull request Apr 2, 2026
Open
coderabbitai[bot]
coderabbitai bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
SECURITY.md (1)

64-64: Consider hyphenating "Denial of service" for consistency.

The term is typically hyphenated as "Denial-of-service" when used as a compound modifier. This improves readability and follows standard technical writing conventions.

📝 Optional fix for hyphenation 
-- Denial of service attacks
+- Denial-of-service attacks

As per coding guidelines (static analysis hint from LanguageTool).

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` at line 64, Update the phrase "Denial of service attacks" to the
hyphenated form "Denial-of-service attacks" for consistency; locate the exact
string "Denial of service attacks" in SECURITY.md and replace it with
"Denial-of-service attacks", and scan the document for other occurrences of
"Denial of service" to standardize them to the hyphenated form.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@SECURITY.md`:
- Line 64: Update the phrase "Denial of service attacks" to the hyphenated form
"Denial-of-service attacks" for consistency; locate the exact string "Denial of
service attacks" in SECURITY.md and replace it with "Denial-of-service attacks",
and scan the document for other occurrences of "Denial of service" to
standardize them to the hyphenated form.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b7981253-ef1c-486a-bf04-51587516b121

📥 Commits

Reviewing files that changed from the base of the PR and between e24b45a and ac5812f.

📒 Files selected for processing (1)
  • SECURITY.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlwilson