From 2e4cd10043b2cbca52d70e945a79c948a0501e3c Mon Sep 17 00:00:00 2001 From: Codebeast Date: Fri, 10 Apr 2026 06:34:16 -0500 Subject: [PATCH] chore: add canonical SECURITY.md Adds the standardized Stackbilt-dev security reporting template to this repository. The template is the canonical per-repo security file rolled out across the entire Stackbilt-dev organization as part of the outbound disclosure policy (Stackbilt-dev/docs#15). Key points: - Primary reporting channel: admin@stackbilt.dev - GitHub Security Advisory link scoped to this repo - Response target matrix (critical 24h ack / 7d fix, high 48h / 14d) - Full policy link at https://docs.stackbilt.dev/security/ - Explicit "do not open public GH issues for vulns" rule This replaces the implicit policy that existed via the Stackbilt-dev organization profile with an explicit per-repo file, so the GitHub security tab surfaces it and external researchers have a clear reporting path. Co-Authored-By: Claude Opus 4.6 (1M context) --- SECURITY.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..f9027e1 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,45 @@ +# Security + +For the full Stackbilt security policy, see https://docs.stackbilt.dev/security/. + +## Reporting a Vulnerability + +**Do not open a public GitHub issue for security vulnerabilities.** + +### How to report + +- **Primary channel:** email `admin@stackbilt.dev` with "SECURITY:" in the subject line +- **GitHub Security Advisory:** https://github.com/Stackbilt-dev/cc-taskrunner/security/advisories/new +- Include: vulnerability description, reproduction steps, potential impact, and any suggested mitigation + +### Response targets + +| Severity | Acknowledgement | Fix target | +|---|---|---| +| Critical — active exploitation, data exposure | 24 hours | 7 days | +| High — exploitable with effort | 48 hours | 14 days | +| Medium / Low | 5 business days | Next release cycle | + +These are targets, not contractual SLAs. Stackbilt is a solo-founder operation and response times reflect that reality honestly. Critical issues affecting user data are prioritized above everything else. + +### Scope + +This policy covers all software published in this repository. For the full policy covering the entire Stackbilt-dev organization, see the [canonical security policy](https://docs.stackbilt.dev/security/). + +### Out of scope + +- Denial of service against free-tier services (Cloudflare handles DDoS) +- Rate limiting bypass on non-authenticated endpoints (unless it enables data access) +- Missing security headers on non-production deployments +- Vulnerabilities in third-party dependencies where this repo is not the upstream maintainer + +### Disclosure + +- Stackbilt practices **coordinated disclosure** with a minimum 90-day window (30 days for critical). +- Reporters are credited in release notes unless anonymity is requested. +- Good-faith security research within this policy will not face legal action. + +### Contact + +- **Primary:** admin@stackbilt.dev +- **Canonical policy:** https://docs.stackbilt.dev/security/