Skip to content

chore: add SECURITY.md (private vulnerability reporting policy)#356

Open
eddieran wants to merge 1 commit into
dromara:mainfrom
eddieran:chore/security-policy
Open

chore: add SECURITY.md (private vulnerability reporting policy)#356
eddieran wants to merge 1 commit into
dromara:mainfrom
eddieran:chore/security-policy

Conversation

@eddieran

@eddieran eddieran commented May 9, 2026

Copy link
Copy Markdown

Why

x-file-storage currently has no SECURITY.md. GitHub's Security tab shows the "Suggest a security policy" prompt for exactly this case. This PR is that suggestion.

For a file-upload / storage abstraction specifically, having a structured private-disclosure channel is especially important — path traversal, SSRF in remote-fetch, content-type bypass, and pre-signed-URL flaws come up regularly and shouldn't be posted publicly before a fix lands.

What

Adds a draft SECURITY.md at the repo root, modelled on GitHub's standard template with sections tailored for a file-storage library (the in-scope list highlights path traversal in adapters, SSRF in remote-fetch, XXE in S3 XML parsing, content-type bypass, etc.).

The most important part is documenting a private reporting channel so security researchers can responsibly disclose findings without having to choose between staying silent and posting to a public issue. The draft points at GitHub's Private Vulnerability Reporting (PVR) feature as the preferred channel, with an email fallback that maintainers can fill in.

Suggested action by maintainers after merge:

  1. Enable PVR via Settings → Code security → Private vulnerability reporting → Enable. Free for public repos.
  2. Optionally edit the email fallback in SECURITY.md to point at the maintainer's preferred address.

Sections in the draft:

  • Reporting a vulnerability (PVR + email fallback)
  • What to include
  • Scope and supported versions (with explicit out-of-scope examples to reduce triage burden)
  • Process / SLA / hall-of-fame

Maintainers should feel free to edit any section — the important thing is that a private channel exists.

Companion issue

See #355 for the request to enable PVR. This PR is the SECURITY.md half; merging this and enabling PVR together unblocks structured private disclosure.

Thanks for considering!

Adds a draft security policy modeled on GitHub's 'Suggest a security
policy' workflow. The most important part is documenting a private
reporting channel so researchers can responsibly disclose findings.

Maintainers should feel free to edit any section.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant