Revise security policy and reporting instructions#6
Conversation
Updated the security policy to reflect support for all versions and provided a contact email for reporting vulnerabilities.
There was a problem hiding this comment.
Pull Request Overview
This PR establishes a security policy for the repository by adding a new SECURITY.md file that outlines version support and provides contact information for vulnerability reporting.
- Declares support for all versions
- Provides an email address (security@anchorage.com) for reporting security vulnerabilities
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ## Supported Versions | ||
|
|
||
| All versions are expected to be supported |
There was a problem hiding this comment.
The statement "All versions are expected to be supported" is vague and potentially misleading. Security policies should clearly specify which versions receive security updates. Consider being more explicit, such as:
- "We support the latest release with security updates"
- "We support the last N major/minor versions"
- "Only the current major version (vX.x.x) receives security updates"
This clarity helps users understand their security support window and make informed decisions about upgrading.
| All versions are expected to be supported | |
| We support the latest release with security updates. Older versions may not receive security updates. |
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| Email: security@anchorage.com |
There was a problem hiding this comment.
The vulnerability reporting section lacks important details that are typically included in security policies. Consider adding:
- Expected response time (e.g., "We will respond within 48 hours")
- Disclosure policy (e.g., responsible disclosure timeline)
- What information to include in the report
- Preferred format for reporting (PGP key if encrypted communication is preferred)
- Whether a bug bounty program exists
This information helps security researchers understand the reporting process and expectations.
| Email: security@anchorage.com | |
| If you believe you have found a security vulnerability, please report it to us via email at [security@anchorage.com](mailto:security@anchorage.com). | |
| **Expected Response Time:** We will acknowledge your report within 48 hours and aim to provide a more detailed response within 5 business days. | |
| **Disclosure Policy:** We ask that you follow responsible disclosure practices and allow us reasonable time to investigate and address the issue before any public disclosure. We will keep you informed of our progress and coordinate disclosure timelines as appropriate. | |
| **What to Include in Your Report:** Please provide as much detail as possible, including: | |
| - A description of the vulnerability | |
| - Steps to reproduce the issue | |
| - Potential impact | |
| - Any relevant logs, screenshots, or proof-of-concept code | |
| **Preferred Format for Reporting:** If you wish to encrypt your communication, please use our PGP key below: | |
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org
mQENBF9v1XwBCAC3...
-----END PGP PUBLIC KEY BLOCK-----
**Bug Bounty Program:** At this time, we do not offer a public bug bounty program. However, we appreciate your efforts to help us improve our security and may recognize significant contributions.
dustin-ray-anchor
left a comment
dustin-ray-anchor
left a comment
There was a problem hiding this comment.
Looks mostly good but copilot makes some valid points, can we address those
Updated the security policy to reflect support for all versions and provided a contact email for reporting vulnerabilities.