Create SECURITY.md for security policy #169
Conversation
Added a security policy document outlining supported versions and vulnerability reporting.
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
SECURITY.md added. No blocking code or security issues detected by Codacy. Before merging, the policy should include concrete reporting instructions and clearer supported-versions semantics; these are important for an effective security process but not merge-blocking.
About this PR
- Add tests/coverage are not applicable for this change (documentation only). If your project requires CI checks for documentation, ensure SECURITY.md passes any linting/markdown checks.
Low confidence findings
- PR description is minimal — consider summarizing the policy contents and intended audience (maintainers vs public), and whether this is a repository-level or organization-wide policy.
💡 Codacy uses AI. Check for mistakes.
| ## Reporting a Vulnerability | ||
|
|
||
| Use this section to tell people how to report a vulnerability. | ||
|
|
||
| Tell them where to go, how often they can expect to get an update on a | ||
| reported vulnerability, what to expect if the vulnerability is accepted or | ||
| declined, etc. |
There was a problem hiding this comment.
❗ Issue
The "Reporting a Vulnerability" section is generic. Add concrete instructions: an email address (preferably security@yourdomain), expected acknowledgment timeframe (e.g., 48 hours), disclosure policy (coordinated disclosure timeline), and a PGP key or link for secure reports if you accept them. Include whether reporters can expect bounty information or triage steps.
🟡 Medium risk
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | 5.1.x | :white_check_mark: | | ||
| | 5.0.x | :x: | | ||
| | 4.0.x | :white_check_mark: | | ||
| | < 4.0 | :x: | |
There was a problem hiding this comment.
💡 Suggestion
The supported versions table uses emojis (:white_check_mark:, :x:) which may not render consistently in all clients or when consumed programmatically. Prefer explicit text (e.g., "Yes" / "No" or "Supported" / "Not supported") and define what "supported" means (security fixes only, bug fixes, timeframe). Example replacement:
This might be a simple fix:
| | Version | Supported | | |
| | ------- | ------------------ | | |
| | 5.1.x | :white_check_mark: | | |
| | 5.0.x | :x: | | |
| | 4.0.x | :white_check_mark: | | |
| | < 4.0 | :x: | | |
| Version | Supported | | |
| ------- | --------- | | |
| 5.1.x | Supported (security updates) | |
| 5.0.x | Not supported | |
| 4.0.x | Supported (security updates) | |
| < 4.0 | Not supported |
🟡 Medium risk
1 participant
Added a security policy document outlining supported versions and vulnerability reporting.