Description
The existing SECURITY.md provides a solid foundation for reporting, but it lacks several industry-standard components that help security researchers and automated tools interact with the repository.
Currently, the policy is missing a clear Vulnerability Disclosure Policy (VDP), structured Severity Definitions, and a Security.txt alignment. To ensure ZenYukti remains resilient, we need to modernize this document.
Proposed Improvements
1. Severity Classification: Implement a table based on CVSS (Common Vulnerability Scoring System) to define what constitutes a "Critical" vs "Low" bug.
2. Coordinated Disclosure Timeline: Explicitly state the "90-day rule" (or a custom window) before a researcher is allowed to go public.
3. Hall of Fame Clarity: Clearly state if there is a bug bounty program or if recognition is purely via the "Hall of Fame."
4. Security.txt Integration: Propose adding a /.well-known/security.txt file that mirrors this policy for automated scanner discovery.
5. Scope Definition: Add an "In-Scope" vs "Out-of-Scope" section (e.g., excluding DDoS or social engineering) to prevent "spam" reports from low-quality scanners.
Tasks
Why this is needed
- Researcher Trust: Professional researchers are more likely to report to projects that have clear "Safe Harbor" and "Disclosure" timelines.
- Reduced Noise: A clear "Out-of-Scope" list saves the core team time by filtering out non-exploitable "best practice" suggestions (like missing SPF records).
- Compliance: Aligns ZenYukti with modern Open Source Security Foundation (OpenSSF) best practices.
Description
The existing
SECURITY.mdprovides a solid foundation for reporting, but it lacks several industry-standard components that help security researchers and automated tools interact with the repository.Currently, the policy is missing a clear Vulnerability Disclosure Policy (VDP), structured Severity Definitions, and a
Security.txtalignment. To ensure ZenYukti remains resilient, we need to modernize this document.Proposed Improvements
1. Severity Classification: Implement a table based on CVSS (Common Vulnerability Scoring System) to define what constitutes a "Critical" vs "Low" bug.
2. Coordinated Disclosure Timeline: Explicitly state the "90-day rule" (or a custom window) before a researcher is allowed to go public.
3. Hall of Fame Clarity: Clearly state if there is a bug bounty program or if recognition is purely via the "Hall of Fame."
4.
Security.txtIntegration: Propose adding a/.well-known/security.txtfile that mirrors this policy for automated scanner discovery.5. Scope Definition: Add an "In-Scope" vs "Out-of-Scope" section (e.g., excluding DDoS or social engineering) to prevent "spam" reports from low-quality scanners.
Tasks
support@inbox.Why this is needed