Skip to content

Add an org-wide SECURITY.md#4

Open
averevki wants to merge 1 commit into
mainfrom
add-security-md
Open

Add an org-wide SECURITY.md#4
averevki wants to merge 1 commit into
mainfrom
add-security-md

Conversation

@averevki

@averevki averevki commented Jun 30, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

  • Add SECURITY.md to the org-level .github repo, automatically inherited by all Kuadrant repositories
  • Addresses the OpenSSF Scorecard Security-Policy check (currently 0/10) across the org
  • Directs vulnerability reporters to use GitHub Private Vulnerability Reporting (Private Vulnerability Reporting needs to be enabled for the Kuadrant's GitHub organization, prior to merging this PR)

This PR addresses Kuadrant/kuadrant-operator#2039

Summary by CodeRabbit

  • Documentation
    • Added a security policy outlining how to report vulnerabilities, what information to include, expected confidentiality, response timelines, and issue scope guidance.

@averevki
Add an org-wide SECURITY.md
214975d 
Signed-off-by: averevki <sandyverevkin@gmail.com>
@averevki averevki self-assigned this Jun 30, 2026
@coderabbitai

coderabbitai Bot commented Jun 30, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

A new SECURITY.md file is added to the repository, defining the Kuadrant project's security policy. It covers private vulnerability reporting via GitHub, required submission details, response and coordination timelines, confidentiality expectations, and out-of-scope issue categories.

Changes

Security Policy

Layer / File(s) Summary
Security policy document
SECURITY.md		 Introduces the complete security policy, including private reporting workflow, required submission details, expected response timelines, and out-of-scope issue definitions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 A document now guards the gate,
For bugs reported soon, not late.
In private whispers, tell your tale,
The Kuadrant team shall never fail.
Hop along, keep secrets safe! 🔒

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: adding an organisation-wide SECURITY.md file.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch add-security-md

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 30, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
SECURITY.md (2)

15-16: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add fallback contact method for when Private Vulnerability Reporting is unavailable.

If Private Vulnerability Reporting is not enabled on a specific repository, or if a reporter cannot access GitHub, there is no alternative reporting channel. Consider adding a security email address or alternative contact method for such cases.

   2. Click **"Report a vulnerability"** under **Advisories**.
+   
+   If Private Vulnerability Reporting is not available, please email us at
+   security@kuadrant.io (or the appropriate security contact).
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 15 - 16, The Security.md guidance only describes
GitHub Private Vulnerability Reporting, so add a fallback contact path for cases
where it is unavailable or GitHub access is blocked. Update the security
reporting instructions in SECURITY.md to include an alternative channel such as
a security email address or other contact method, and keep it alongside the
existing report-a-vulnerability steps so readers can find it easily.

36-40: 🔒 Security & Privacy | 🔵 Trivial

Response timelines are reasonable but verify organizational capacity.

The committed response timelines (5 business days for acknowledgement, 10 for severity determination) are good practices. Ensure the security team has sufficient coverage to meet these commitments consistently.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 36 - 40, The response timeline section in
SECURITY.md commits to fixed acknowledgement and severity-determination windows,
so update the wording around the bullets to make clear these are targets or
commitments only if the security team has sufficient coverage. Keep the same
timeline values in the SECURITY.md section, but add a brief qualifier that
operational capacity and staffing are in place to consistently meet them.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@SECURITY.md`:
- Around line 15-16: The Security.md guidance only describes GitHub Private
Vulnerability Reporting, so add a fallback contact path for cases where it is
unavailable or GitHub access is blocked. Update the security reporting
instructions in SECURITY.md to include an alternative channel such as a security
email address or other contact method, and keep it alongside the existing
report-a-vulnerability steps so readers can find it easily.
- Around line 36-40: The response timeline section in SECURITY.md commits to
fixed acknowledgement and severity-determination windows, so update the wording
around the bullets to make clear these are targets or commitments only if the
security team has sufficient coverage. Keep the same timeline values in the
SECURITY.md section, but add a brief qualifier that operational capacity and
staffing are in place to consistently meet them.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 247706e5-c451-4417-b2a4-b82742deeb5c

📥 Commits

Reviewing files that changed from the base of the PR and between f3be2fc and 214975d.

📒 Files selected for processing (1)
  • SECURITY.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@averevki averevki

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@averevki