Security Disclosure Policy for CONTRIBUTING.md

Security Disclosure in Contributing Guides

Every project that accepts contributions should have a clear security disclosure policy. This protects users and gives security researchers confidence that their reports will be handled properly.

SECURITY.md

GitHub recommends a separate SECURITY.md file, but your CONTRIBUTING.md should reference it:

## Security

For security vulnerabilities, **do not open a public issue**.
Please follow our [Security Policy](SECURITY.md) for responsible
disclosure instructions.

Responsible Disclosure Process

## Reporting a Security Vulnerability

1. Email security@project.org with:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if any)

2. You will receive an acknowledgment within 48 hours.

3. We will investigate and provide updates within 7 days.

4. Once fixed, we will coordinate disclosure timing with you.

Severity Classification

Severity	Description	Response Time
Critical	Remote code execution, data breach	24 hours
High	Authentication bypass, privilege escalation	48 hours
Medium	XSS, CSRF, information disclosure	7 days
Low	Non-exploitable issues, hardening	30 days

What Qualifies as a Security Issue

Help reporters understand what to report through the security channel vs. a normal bug:

• Authentication or authorization bypasses
• Data exposure or leakage
• Remote code execution
• SQL injection, XSS, CSRF
• Dependency vulnerabilities with exploitable impact
• Cryptographic weaknesses

CVE Process

For projects that assign CVEs:

We will request a CVE ID for confirmed vulnerabilities. Credit will be given to the reporter in the security advisory unless they prefer anonymity.

Safe Harbor

Include a safe harbor statement:

We will not pursue legal action against security researchers who follow this responsible disclosure process and act in good faith.