Skip to content

docs(security): add SECURITY.md with disclosure policy and project PG…#169

Open
barnabasolutayo-lgtm wants to merge 1 commit into
Dgetsylver:mainfrom
barnabasolutayo-lgtm:SECURITY.md
Open

docs(security): add SECURITY.md with disclosure policy and project PG…#169
barnabasolutayo-lgtm wants to merge 1 commit into
Dgetsylver:mainfrom
barnabasolutayo-lgtm:SECURITY.md

Conversation

@barnabasolutayo-lgtm
Copy link
Copy Markdown

@barnabasolutayo-lgtm barnabasolutayo-lgtm commented May 29, 2026

Close #82
Add SECURITY.md, embed project PGP public key, and link from README & CONTRIBUTING

PR description:
Summary

  • Adds a repository-level responsible disclosure policy and published PGP public key.
  • Updates project references so contributors and researchers can find secure reporting channels.

What changed

  • Added SECURITY.md containing reporting instructions, triage timeline, 90-day disclosure window, safe-harbor statement, and the project's PGP public key.
  • Added README.md short reference to security guidance.
  • Updated CONTRIBUTING.md to reference the security policy.
  • Exported public key as turbo_gpg_pub.asc (public key only) and embedded the public key block into SECURITY.md.

Acceptance criteria (met)

  • File placed at repo root: SECURITY.md
  • Referenced from README and CONTRIBUTING: yes
  • PGP public key or encrypted channel published: public key embedded and exported to turbo_gpg_pub.asc

Notes for reviewers

  • The PGP public key was generated in the workspace and exported; the private key is NOT committed. If you prefer to use an existing organizational key, replace the armored block in SECURITY.md and update or remove turbo_gpg_pub.asc.
  • Recommended optional follow-ups: create a draft GitHub Security Advisory, confirm contact email routing, and rotate/update the key if you want a different identity.

Files changed

  • SECURITY.md
  • README.md
  • CONTRIBUTING.md
  • turbo_gpg_pub.asc

Testing / verification

  • Manual review of the added files and the PGP block.
  • Verify turbo_gpg_pub.asc imports correctly: gpg --import turbo_gpg_pub.asc (recommended to test locally, not in CI).

Next steps (optional)

  • Create a draft GitHub Security Advisory for the repo.
  • Replace the embedded public key with your canonical key if desired.
  • Merge when maintainers are satisfied.

@barnabasolutayo-lgtm
docs(security): add SECURITY.md with disclosure policy and project PG…
2157228 
…P public key; link from README & CONTRIBUTING
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented May 29, 2026

@barnabasolutayo-lgtm Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

G5: SECURITY.md and disclosure policy

1 participant

@barnabasolutayo-lgtm