chore(security): rewrite SECURITY.md with SOC2-ready policy

[anandray]

Summary

Adds explicit triage/remediation SLA (critical 7d, high 30d, medium 90d), documents the current scanning toolchain (CodeQL, Scorecard, Trivy, Dependabot, secret scanning), branch protection on develop, and quarterly access reviews. Updates the reporting address from a non-routable security@ alias to anand.ray@rocketride.ai pending shared-mailbox creation.

Refs #760

Type

Testing

• Tests added or updated
• Tested locally
• ./builder test passes

Checklist

• Commit messages follow conventional commits
• No secrets or credentials included
• Wiki updated (if applicable)
• Breaking changes documented (if applicable)

Linked Issue

Fixes #763

Summary by CodeRabbit

• Documentation
  • Security policy substantially rewritten to provide a comprehensive vulnerability program, including private reporting, public disclosure guidance, and explicit contact methods.
  • Introduces SLA timelines for triage/remediation, clarified supported versions, disposition categories, tooling and branch protection guidance, and structured governance for handling vulnerabilities.

[coderabbitai]

📝 Walkthrough

Walkthrough

The SECURITY.md was rewritten into a comprehensive security policy: private vulnerability reporting channels were added, triage/remediation SLAs and disposition categories defined, tooling and branch protection rules documented, quarterly access review guidance added, supported-versions guidance updated, and public disclosure procedures specified.

Changes

SECURITY Policy Replacement

Layer / File(s)	Summary
Intro & Reporting Channels SECURITY.md	Replaces prior intro and "Reporting a Vulnerability" content with private reporting instructions (email and GitHub PVR) and explicit guidance not to open public issues.
Triage & Remediation SLAs SECURITY.md	Adds SLA table for triage and remediation by severity (Critical/High/Medium/Low) with explicit timelines.
Disposition Categories SECURITY.md	Introduces outcome categories: Fixed, Mitigated, False positive, Accepted risk.
Tooling & Coverage SECURITY.md	Documents active scanning and protection toolchain (CodeQL, Scorecard, Trivy, Dependabot, secret scanning, push protection) and references workflow locations.
Branch Protection & Wiring SECURITY.md	Specifies develop branch guardrails: PR-only merges, code-owner approvals, CI checks, no force-push/branch deletion, linear history, stale review handling, admin bypass disabled.
Access Reviews & Governance SECURITY.md	Adds quarterly access review guidance (members, outside collaborators, org owners) and 2FA compliance recording.
Supported Versions Guidance SECURITY.md	Updates supported versions guidance (notes 3.1.x supported; versions <3.1 unsupported; critical issues may be case-by-case).
Public Disclosure SECURITY.md	Defines process for publishing advisories after remediation and crediting reporters; includes advisory URL guidance.
Removed Legacy Sections SECURITY.md (removed content)	Deletes previous sections ("Supported Versions", "Reporting a Vulnerability" old subsections, "What to Expect", "Disclosure Policy", "Security Best Practices", "Security Features", closing courtesy) replacing them with consolidated policy text.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 In burrows of code I nibble and see,

SLAs like carrots hung tidy on a tree,
Guards on the branch and scanners on patrol,
Quarterly checks keeping order in the hole,
I hop away happy — safe code and a full soul.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(security): rewrite SECURITY.md with SOC2-ready policy' directly and accurately describes the main change: a comprehensive rewrite of SECURITY.md to meet SOC2 compliance requirements.
Linked Issues check	✅ Passed	The pull request comprehensively addresses all coding requirements from linked issue #763: defines triage/remediation SLAs by severity, documents the scanning toolchain (CodeQL, Scorecard, Trivy, Dependabot, secret scanning), records branch protection and access review procedures, and provides monitored reporting mechanism.
Out of Scope Changes check	✅ Passed	All changes are scoped to SECURITY.md documentation updates directly supporting SOC2 alignment; no out-of-scope modifications to code, configuration, or unrelated files are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop-security-soc2-05052026

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

No description provided.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 9-10: Replace the single-person contact in the SECURITY.md
vulnerability intake section by adding a shared, monitored alias and at least
one backup/escalation mailbox; update the existing "**Email:**
anand.ray@rocketride.ai" line to include a team alias (e.g.,
security@rocketride.ai) and append an "Escalation / Backup" line listing
secondary contacts or rotation procedures, and ensure the "**GitHub Private
Vulnerability Reporting:**" entry references the same monitored alias or
documents the escalation path so intake isn't dependent on one individual.
- Around line 50-51: Replace brittle hard-coded CI check names and fixed
schedule text (e.g., "CI OK", "Analyze (python)", "Analyze
(javascript-typescript)", and the cadence/force-push wording) with a policy
statement referencing "required checks configured in branch protection" and
"security scans configured in GitHub Actions"; remove specific job
names/schedules from SECURITY.md and add a note that exact job names and scan
cadence belong in the operational runbook so audits reference the canonical
config there.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9b0d9a57-942b-43f4-9c3e-d6331a77e433

📥 Commits

Reviewing files that changed from the base of the PR and between 56cf4ef and 4a06aff.

📒 Files selected for processing (1)

• SECURITY.md

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

SECURITY.md (1)

9-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid single-person vulnerability intake dependency.

The primary email path still depends on one individual mailbox, which is a continuity risk for security intake. Add a shared monitored alias and explicit backup/escalation contact in this policy.

Proposed doc update

-- **Email:** anand.ray@rocketride.ai
+- **Email:** security@rocketride.ai (monitored shared mailbox)
+- **Escalation / Backup:** anand.ray@rocketride.ai (until shared mailbox migration is complete)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 9 - 10, Replace the single-person contact in the
SECURITY.md entry that currently shows "**Email:** anand.ray@rocketride.ai" with
a shared, monitored alias (e.g., security@rocketride.ai) and add an explicit
backup/escalation contact line (e.g., "**Escalation contact:**
security-lead@rocketride.ai or PagerDuty/rotation details") next to or below the
existing "**GitHub Private Vulnerability Reporting:**" entry; ensure the text
also notes monitoring/SLAs for the alias and that the original personal mailbox
is listed only as a secondary/backup contact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 14-25: The intake sentence ("We aim to acknowledge reports within
2 business days and provide a triage decision within 5 business days") conflicts
with the severity-specific triage SLAs in the "Triage and Remediation SLA" table
(e.g., Critical = 1 business day); update SECURITY.md to remove ambiguity by
replacing the generic "provide a triage decision within 5 business days" with a
sentence that defers to the table (e.g., "we aim to provide a triage decision
within the timeframes specified in the Triage and Remediation SLA table below"),
or conversely adjust the table to match a single 5-business-day intake
policy—ensure the intake line explicitly references the table and keep the table
rows (Critical/High/Medium/Low) consistent with that choice so auditors can
unambiguously determine applicable triage SLAs.
- Line 46: Update the sentence that refers to GitHub to use the canonical
capitalization "GitHub" (capital G and H) instead of any other casing; locate
the line containing "Tool configuration, cadence, and exact workflow names are
maintained in `.github/workflows/` and the repository's security settings —
refer to those as the source of truth." and change the product name to "GitHub"
for consistency with official naming.

---

Duplicate comments:
In `@SECURITY.md`:
- Around line 9-10: Replace the single-person contact in the SECURITY.md entry
that currently shows "**Email:** anand.ray@rocketride.ai" with a shared,
monitored alias (e.g., security@rocketride.ai) and add an explicit
backup/escalation contact line (e.g., "**Escalation contact:**
security-lead@rocketride.ai or PagerDuty/rotation details") next to or below the
existing "**GitHub Private Vulnerability Reporting:**" entry; ensure the text
also notes monitoring/SLAs for the alias and that the original personal mailbox
is listed only as a secondary/backup contact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 65f11f34-efb7-43be-9a70-253c0d62366c

📥 Commits

Reviewing files that changed from the base of the PR and between 4a06aff and 17b7c27.

📒 Files selected for processing (1)

• SECURITY.md

[coderabbitai]

♻️ Duplicate comments (2)

SECURITY.md (2)

46-46: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

GitHub capitalization still needs correction.

Line 46 should use "GitHub security settings" (capital H) for consistency with official product naming in compliance documentation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` at line 46, Update the phrase in SECURITY.md that currently
reads "the repository's security settings" to "the repository's GitHub security
settings" so "GitHub" is capitalized; locate the sentence containing
".github/workflows/ and the repository's security settings" and replace it with
".github/workflows/ and the repository's GitHub security settings" to ensure
consistent official product naming.

---

9-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Single-person vulnerability intake channel remains unresolved.

The individual mailbox (anand.ray@rocketride.ai) creates a continuity risk for SOC2 security incident intake. The PR description acknowledges this is temporary pending a shared mailbox, but the policy should not go live for audit evidence until a monitored team alias or backup escalation path is in place.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 9 - 10, Replace the single-person intake address
"anand.ray@rocketride.ai" with a monitored team alias and add a backup
escalation path in the SECURITY.md contact section; update the "GitHub Private
Vulnerability Reporting" note to reference the team mailbox (or both the team
alias and the individual as secondary) and document the alternate escalation
contact and monitoring details so the policy shows a shared, monitored channel
and a backup for SOC2 evidence.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@SECURITY.md`:
- Line 46: Update the phrase in SECURITY.md that currently reads "the
repository's security settings" to "the repository's GitHub security settings"
so "GitHub" is capitalized; locate the sentence containing ".github/workflows/
and the repository's security settings" and replace it with ".github/workflows/
and the repository's GitHub security settings" to ensure consistent official
product naming.
- Around line 9-10: Replace the single-person intake address
"anand.ray@rocketride.ai" with a monitored team alias and add a backup
escalation path in the SECURITY.md contact section; update the "GitHub Private
Vulnerability Reporting" note to reference the team mailbox (or both the team
alias and the individual as secondary) and document the alternate escalation
contact and monitoring details so the policy shows a shared, monitored channel
and a backup for SOC2 evidence.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: beb1c5f9-7635-4dc9-bb9c-b81280596105

📥 Commits

Reviewing files that changed from the base of the PR and between 17b7c27 and 370fc28.

📒 Files selected for processing (1)

• SECURITY.md