Skip to content

docs: add security disclosure policy#1117

Open
peterxing wants to merge 1 commit into
emdash-cms:mainfrom
peterxing:fix/issue-993-security-policy
Open

docs: add security disclosure policy#1117
peterxing wants to merge 1 commit into
emdash-cms:mainfrom
peterxing:fix/issue-993-security-policy

Conversation

@peterxing
Copy link
Copy Markdown

@peterxing peterxing commented May 20, 2026
edited
Loading

What does this PR do?

Adds a root SECURITY.md so researchers have a clear private route for vulnerability reports and existing GitHub security advisories. The policy covers GitHub private vulnerability reporting, EmDash-specific report fields/scope examples, coordinated disclosure, and safe-harbor boundaries without promising bounty terms.

Closes #993

Type of change

  • Bug fix
  • Feature (requires maintainer-approved Discussion)
  • Refactor (no behavior change)
  • Translation
  • Documentation
  • Performance improvement
  • Tests
  • Chore (dependencies, CI, tooling)

Checklist

  • I have read CONTRIBUTING.md
  • pnpm typecheck passes — not run; documentation-only change
  • pnpm lint passes — not run; documentation-only change
  • pnpm test passes (or targeted tests for my change) — not run; documentation-only change
  • pnpm format has been run — not run; Markdown-only change, git diff --check passed
  • I have added/updated tests for my changes (if applicable) — not applicable; documentation-only change
  • User-visible strings in the admin UI are wrapped for translation (if applicable). Do not include messages.po changes except in translation PRs — a workflow extracts catalogs on merge to main.
  • I have added a changeset (if this PR changes a published package) — not applicable; no package/runtime change
  • New features link to an approved Discussion: https://github.com/emdash-cms/emdash/discussions/... — not applicable; documentation-only security routing

AI-generated code disclosure

  • This PR includes AI-generated code — model/tool: OpenAI GPT-5.5 via OpenClaw

Screenshots / test output

Verification run locally:

git diff --check
Select-String SECURITY.md markers for private reporting, advisory follow-up, plugin sandbox scope, coordinated disclosure, and safe harbor

No build/test run because this only adds SECURITY.md.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 20, 2026

⚠️ No Changeset found

Latest commit: 9b67130

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 20, 2026


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@peterxing peterxing mentioned this pull request May 20, 2026
Open
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 20, 2026

Open in StackBlitz

@emdash-cms/admin

npm i https://pkg.pr.new/@emdash-cms/admin@1117

@emdash-cms/auth

npm i https://pkg.pr.new/@emdash-cms/auth@1117

@emdash-cms/blocks

npm i https://pkg.pr.new/@emdash-cms/blocks@1117

@emdash-cms/cloudflare

npm i https://pkg.pr.new/@emdash-cms/cloudflare@1117

emdash

npm i https://pkg.pr.new/emdash@1117

create-emdash

npm i https://pkg.pr.new/create-emdash@1117

@emdash-cms/gutenberg-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/gutenberg-to-portable-text@1117

@emdash-cms/x402

npm i https://pkg.pr.new/@emdash-cms/x402@1117

@emdash-cms/plugin-ai-moderation

npm i https://pkg.pr.new/@emdash-cms/plugin-ai-moderation@1117

@emdash-cms/plugin-atproto

npm i https://pkg.pr.new/@emdash-cms/plugin-atproto@1117

@emdash-cms/plugin-audit-log

npm i https://pkg.pr.new/@emdash-cms/plugin-audit-log@1117

@emdash-cms/plugin-color

npm i https://pkg.pr.new/@emdash-cms/plugin-color@1117

@emdash-cms/plugin-embeds

npm i https://pkg.pr.new/@emdash-cms/plugin-embeds@1117

@emdash-cms/plugin-forms

npm i https://pkg.pr.new/@emdash-cms/plugin-forms@1117

@emdash-cms/plugin-webhook-notifier

npm i https://pkg.pr.new/@emdash-cms/plugin-webhook-notifier@1117

commit: 9b67130

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla: needed size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Responsible Disclosure

1 participant

@peterxing