From 5ca697f0cc27d23b569352008c569c71729135a3 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Mon, 29 Jun 2026 23:32:27 +0900 Subject: [PATCH 1/2] chore: add security policy --- SECURITY.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..4a81e68 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,28 @@ +# Security Policy + +## Reporting a Vulnerability + +Please do not report unpatched vulnerabilities through public GitHub issues. + +Preferred: use GitHub private vulnerability reporting for this repository: + +- https://github.com/ContextualWisdomLab/aFIPC/security/advisories/new + +If private reporting is unavailable, open a public issue that only asks for a secure disclosure channel. Do not include exploit details, secrets, personal data, or unreleased vulnerability information in a public issue. + +When reporting, include: + +- affected branch, tag, or commit +- reproduction steps +- impact assessment +- proof-of-concept input or sanitized logs when needed for safe reproduction + +## Response Expectations + +- acknowledgement target: within 7 days +- triage or status update target: within 30 days when a fix is feasible +- coordinated disclosure preferred after a fix or mitigation is available + +## Safe Handling + +Do not send production credentials, private keys, customer data, or copyrighted third-party source documents in reports. Use synthetic fixtures and sanitized evidence whenever possible. \ No newline at end of file From 89c2acc20d547c1317a624d24c26bda5e8dc34ca Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Mon, 29 Jun 2026 23:37:00 +0900 Subject: [PATCH 2/2] chore: normalize metadata newlines --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 4a81e68..09d542f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -25,4 +25,4 @@ When reporting, include: ## Safe Handling -Do not send production credentials, private keys, customer data, or copyrighted third-party source documents in reports. Use synthetic fixtures and sanitized evidence whenever possible. \ No newline at end of file +Do not send production credentials, private keys, customer data, or copyrighted third-party source documents in reports. Use synthetic fixtures and sanitized evidence whenever possible.