25 lines
1.1 KiB
Markdown
25 lines
1.1 KiB
Markdown
<!-- DRAFT / REDUNDANT STUB — for the OSS-readiness audit only.
|
|
|
|
A complete, public security policy ALREADY EXISTS at
|
|
oss/overlay/SECURITY.md (covers supported versions, private vulnerability
|
|
reporting, and a deployment-hardening baseline). It is sufficient for OSS.
|
|
|
|
This file exists only so the audit can point to "SECURITY coverage = yes"
|
|
and should be DELETED once the existing oss/overlay/SECURITY.md is accepted.
|
|
Do NOT publish this stub. -->
|
|
|
|
# Security Policy (DRAFT stub — see oss/overlay/SECURITY.md)
|
|
|
|
The authoritative security policy is **[oss/overlay/SECURITY.md](../oss/overlay/SECURITY.md)**,
|
|
which ships publicly as `SECURITY.md`. It covers:
|
|
|
|
- Supported versions (latest release + `main`).
|
|
- Private vulnerability reporting (no public issues for undisclosed vulns;
|
|
use the host's private reporting feature or contact the owner; 7-day ack).
|
|
- Deployment baseline (localhost until OAuth, TLS reverse proxy,
|
|
`safety.bash_sandbox: always`, secret hygiene, `/metrics` restriction,
|
|
tool/integration review).
|
|
|
|
No separate top-level `SECURITY.md` is needed. Delete this draft after confirming
|
|
the overlay policy.
|