Skip to content

🔒️ Add security guidelines for vulnerability disclosure.#51

Merged
JSKitty merged 5 commits intoVectorPrivacy:masterfrom
selkij:patch-1
Mar 3, 2026
Merged

🔒️ Add security guidelines for vulnerability disclosure.#51
JSKitty merged 5 commits intoVectorPrivacy:masterfrom
selkij:patch-1

Conversation

@selkij
Copy link

@selkij selkij commented Mar 2, 2026

Added a security policy for vulnerability disclosure guidelines. Requires an e-mail address and setting up the Private Security Disclosure system on GitHub.

selkij added 3 commits March 2, 2026 13:27
@selkij
🔒️ Created SECURITY.md for vulnerability disclosure.
df17645 
Added a security policy for vulnerability disclosure guidelines.
Requires an e-mail address and setting up the Private Security Disclosure system on GitHub.
@selkij
Revised vulnerability scopes
87a4330 
Removed 'Secure storage of messages' from security considerations. (As Vector doesn't store the messages)
@selkij
Change security email to security@vectorapp.io
8cfbe1f 
Updated the security contact email to the new domain.
@YuurinBee
Copy link

YuurinBee commented Mar 3, 2026

Thank you for catching this and filling the gap. As I shared, we had it for the Vector SDK thanks to @Luke-Larsen, but appreciate you spotting this and adding the solution, @selkij! Will have @JSKitty review to make sure everything is up to standard before pushing.

@JSKitty
Copy link

JSKitty commented Mar 3, 2026

To tighten up around the clock, I've gone and setup all Best Practice repository security precautions and services that I could; and I'll also setup some of my own (automated PR audits) shortly, the final piece of the puzzle is the Disclosure Policy, which you've gracefully provided us, really do appreciate this nudge and writing! 🙏

image

This PR is absolutely solid, I believe there's only two small additions I'd like before merging, open to discussion, of course;

  • Email mail@jskitty.cat is reachable in an encrypted format from a Proton email, which may be seen faster by me, it can be an additional contact to our vectorapp email.
  • There is (understandably) often an expectation of compensation for disclosures, we do not have the funding to do this (we ourselves work on Vector voluntarily, as of now), that may change in the future, but as it stands, I think having a clear mention that we cannot currently compensate for findings or bounties, would prevent misunderstandings early.

That aside, beautiful first PR contribution. 🙏 💚

@JSKitty JSKitty added the documentation Improvements or additions to documentation label Mar 3, 2026
@selkij
📝 Fill demands
bd7297f 
- Added a compensation section to clarify the project's current stance on financial rewards for disclosures.
- Added another e-mail for reporting a vulnerability.
@selkij
Copy link
Author

selkij commented Mar 3, 2026

Does this look good ? You can tell me directly what to change by using the reviewing GitHub feature.

JSKitty
JSKitty approved these changes Mar 3, 2026
View reviewed changes
Copy link

@JSKitty JSKitty left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 LGTM!

@selkij selkij marked this pull request as ready for review March 3, 2026 20:34
@selkij
Copy link
Author

selkij commented Mar 3, 2026

It can be merged then!

@JSKitty JSKitty merged commit 9f68677 into VectorPrivacy:master Mar 3, 2026
@selkij selkij deleted the patch-1 branch March 3, 2026 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JSKitty JSKitty JSKitty approved these changes

Assignees

@selkij selkij

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@selkij @YuurinBee @JSKitty