Problem
The system manages credentials for six platforms—GitHub PATs (including a multi-token scraping pool), Slack bot tokens, Discord bot token, Pinecone API keys, YouTube API key, and Selenium-extracted browser session cookies—yet has no SECURITY.md, no security policy, and no documented vulnerability disclosure process. For a system deployed via SSH that holds long-lived tokens across six integration surfaces, the absence of a security contact means a researcher or contributor who discovers a credential leak or injection vulnerability has no clear path to report it responsibly.
Acceptance Criteria
SECURITY.md added to the repository root- Document includes: supported versions, vulnerability reporting instructions (email or private GitHub Security Advisory), expected response timeline, and scope of covered components
- Reporting instructions direct reporters to a private channel (not a public GitHub issue)
- Document references the credential rotation scope: GitHub PATs, Slack tokens, Discord token, Pinecone keys, YouTube key, session cookies
- GitHub repository settings updated to link the security policy (Settings → Security → Security policy)
Problem
The system manages credentials for six platforms—GitHub PATs (including a multi-token scraping pool), Slack bot tokens, Discord bot token, Pinecone API keys, YouTube API key, and Selenium-extracted browser session cookies—yet has no
SECURITY.md, no security policy, and no documented vulnerability disclosure process. For a system deployed via SSH that holds long-lived tokens across six integration surfaces, the absence of a security contact means a researcher or contributor who discovers a credential leak or injection vulnerability has no clear path to report it responsibly.Acceptance Criteria
SECURITY.mdadded to the repository root