Skip to content

chore: add SECURITY.md (private vulnerability reporting policy)#933

Open
eddieran wants to merge 1 commit into
dromara:devfrom
eddieran:chore/security-policy
Open

chore: add SECURITY.md (private vulnerability reporting policy)#933
eddieran wants to merge 1 commit into
dromara:devfrom
eddieran:chore/security-policy

Conversation

@eddieran

@eddieran eddieran commented May 9, 2026

Copy link
Copy Markdown

Why

Sa-Token currently has no SECURITY.md. GitHub's Security tab shows the "Suggest a security policy" prompt for exactly this case (https://github.com/dromara/Sa-Token/security/policy). This PR is that suggestion.

What

Adds a draft SECURITY.md at the repo root, modelled on GitHub's standard template with sections tailored for an authentication / authorization / SSO framework.

The most important part is documenting a private reporting channel so security researchers can responsibly disclose findings without having to choose between staying silent and posting to a public issue. The draft points at GitHub's Private Vulnerability Reporting (PVR) feature as the preferred channel, with an email fallback that maintainers can fill in.

Suggested action by maintainers after merge:

  1. Enable PVR via Settings → Code security → Private vulnerability reporting → Enable. Free for public repos.
  2. Optionally edit the email fallback in SECURITY.md to point at the maintainer's preferred address.

Sections in the draft:

  • Reporting a vulnerability (PVR + email fallback)
  • What to include
  • Scope and supported versions (with explicit out-of-scope examples to reduce triage burden — e.g. excluding admin-controlled-by-design features)
  • Process / SLA / hall-of-fame

Maintainers should feel free to edit any section — the important thing is that a private channel exists.

Companion issue

See #932 for the request to enable PVR. This PR is the SECURITY.md half; merging this and enabling PVR together unblocks structured private disclosure.

Why I'm sending this

I have findings ready to disclose against Sa-Token and would like to file via PVR once it's enabled. As soon as this PR lands and PVR is on, I'll route the report through the structured channel — the finding has a concrete PoC and suggested patch, just waiting on the channel.

For broader context, this is part of a wider coordinated-disclosure campaign that has filed advisories across many maintainer orgs over the past weeks; everything has been routed through private channels with no public weaponization.

Thanks for considering!

Adds a draft security policy modeled on GitHub's 'Suggest a security
policy' workflow. The most important part is documenting a private
reporting channel so researchers can responsibly disclose findings.

Maintainers should feel free to edit any section.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant