Add security policy for responsible disclosure

2026-04-25 17:25:23 +02:00 · 2026-02-09 12:34:51 -06:00
parent 279f3bc4c5
commit 392742e7aa
1 changed files with 33 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them via email to: **security@gsd.build** (or DM @glittercowboy on Discord/Twitter if email bounces)
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Any suggested fixes (optional)
+
+## Response Timeline
+
+- **Acknowledgment**: Within 48 hours
+- **Initial assessment**: Within 1 week
+- **Fix timeline**: Depends on severity, but we aim for:
+  - Critical: 24-48 hours
+  - High: 1 week
+  - Medium/Low: Next release
+
+## Scope
+
+Security issues in the GSD codebase that could:
+- Execute arbitrary code on user machines
+- Expose sensitive data (API keys, credentials)
+- Compromise the integrity of generated plans/code
+
+## Recognition
+
+We appreciate responsible disclosure and will credit reporters in release notes (unless you prefer to remain anonymous).