From 625162edd34ae8fac126b0a1d7c059eaee8480cd Mon Sep 17 00:00:00 2001 From: Igor Lins e Silva <4753812+igorls@users.noreply.github.com> Date: Tue, 14 Apr 2026 11:50:00 -0300 Subject: [PATCH] docs: tighten SECURITY.md with real version policy and GHPVR-only channel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Builds on @Yorji-Porji's draft by fixing three issues before it lands: - Replace the `< 1.0.0` placeholder table with MemPalace's actual support policy: current major (3.x) receives fixes, 2.x and earlier do not. - Remove the `[Insert Maintainer Email Here]` placeholder and the email fallback. GitHub Private Vulnerability Reporting is enabled on this repo; the policy points there exclusively so there is no risk of a researcher emailing a dead address. - Drop the meta-note ("Adjust the table above…") that was an instruction to the maintainer, not policy text. Structure, triage timelines, and credit language are kept as drafted. --- SECURITY.md | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 72f7bc4..42c0238 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,30 +2,32 @@ ## Supported Versions -Please check the table below for the supported versions that are currently receiving security updates. +MemPalace follows semantic versioning. Security fixes land on the current major version line. -| Version | Supported | -| ------- | ------------------ | -| `main` / `develop` | :white_check_mark: | -| `< 1.0.0` | :x: | - -*(Note: Adjust the table above to reflect MemPalace's actual release cycle)* +| Version | Supported | +| ------------------ | --------- | +| 3.x (current) | Yes | +| 2.x and earlier | No | ## Reporting a Vulnerability **Please do not report security vulnerabilities through public GitHub issues.** -We take the security of MemPalace seriously. If you believe you have found a security vulnerability, please report it to us privately using one of the following methods: +We take the security of MemPalace seriously. If you believe you have found a security vulnerability, please report it privately using **GitHub Private Vulnerability Reporting**: -1. **GitHub Private Vulnerability Reporting:** Navigate to the "Security" tab in this repository, click on "Advisories," and select "Report a vulnerability." -2. **Direct Contact:** If private reporting is not enabled, please email the core maintainers directly at `[Insert Maintainer Email Here]`. +1. Open the [Security tab](https://github.com/MemPalace/mempalace/security) of this repository. +2. Click **Advisories** → **Report a vulnerability**. +3. Fill in the form with the details below. -### What to include in your report: -* A descriptive summary of the vulnerability. -* Detailed steps to reproduce the issue (including any proof-of-concept scripts or specific file paths). -* The potential impact and severity of the vulnerability. +### What to include in your report -### What to expect: -* We aim to acknowledge receipt of your vulnerability report within 48 hours. -* We will triage the issue and keep you updated on our progress toward a patch. -* Once the vulnerability is resolved and an update is released, we will publish a security advisory and credit you for the discovery (if you wish to be credited). +- A descriptive summary of the vulnerability. +- Detailed steps to reproduce the issue (including any proof-of-concept scripts or specific file paths). +- The affected version(s) and platform(s). +- The potential impact and severity. + +### What to expect + +- We aim to acknowledge receipt within 48 hours. +- We will triage the issue and keep you updated on progress toward a patch. +- Once the vulnerability is resolved and an update is released, we will publish a security advisory and credit you for the discovery (if you wish to be credited).