Enhance security policy with detailed reporting and scope for GHSA#816
Enhance security policy with detailed reporting and scope for GHSA#816noyp-lasso wants to merge 3 commits into
Conversation
Expanded the security policy to include detailed reporting guidelines, response targets, and scope of vulnerabilities. Added sections on coordinated disclosure and safe harbor for researchers.
There was a problem hiding this comment.
Code Review
This pull request introduces a new SECURITY.md file to establish the project's security policy, detailing vulnerability reporting, disclosure timelines, and scope. The review feedback suggests improving the accuracy and consistency of the document by renaming 'Yuxi-Know' to 'Yuxi' to match the project's branding, and updating the reference from 'frontend' to 'web' to align with the actual repository directory structure.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| This policy covers the code in this repository (backend, frontend, agent | ||
| harness, and the deployment configuration shipped here, e.g. `docker-compose` | ||
| files and the sandbox provisioner). |
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
|
Thanks for the contribution. Before we proceed with this PR, please clarify whether the accompanying security analysis was performed against the latest Please confirm, through the private disclosure channel:
Please do not post any vulnerability details, affected code paths, payloads, reproduction steps, or impact analysis in this public PR. For this PR itself, please also update |
|
|
Thanks for the reminder. The risk points mentioned in your email have been received, and we will address them in the near term. Back to this PR: please handle this PR seriously. Before we continue reviewing it, please first address the PR-specific issues already mentioned above, including using |
|
Thanks for the review and the clear guidance. I've addressed the PR-specific items in the latest commit: the policy now uses "Yuxi" consistently (no more "Yuxi-Know") and refers to "web" instead of "frontend". This PR only adds the general Understood on keeping all vulnerability details out of this public PR. I'll send the full private details once GitHub Private Vulnerability Reporting / GHSA is enabled (it currently appears off) — please enable it or open a draft advisory and add me as a reporter. |
Expanded the security policy to include detailed reporting guidelines, response targets, and scope of vulnerabilities. Added sections on coordinated disclosure and safe harbor for researchers.
变更描述
简要描述这个 PR 做了什么
变更类型
测试
相关日志或者截图
说明
(可选)有什么需要特别说明的吗?
💡 提示: 提交前可以运行
make lint和make format检查代码规范