rocketride-org · anandray · May 6, 2026 · May 6, 2026 · May 6, 2026
@@ -1,62 +1,84 @@
 # Security Policy
 
-## Supported Versions
+This document describes how RocketRide handles security findings, vulnerability reports, and access to source code in this repository.
+
+## Reporting a Vulnerability
 
-We release security patches for the following versions:
+If you discover a security vulnerability in RocketRide, please report it privately:
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 3.1.x   | :white_check_mark: |
-| < 3.1   | :x:                |
+- **Email:** anand.ray@rocketride.ai
+- **GitHub Private Vulnerability Reporting:** https://github.com/rocketride-org/rocketride-server/security/advisories/new
 
-## Reporting a Vulnerability
+Do not file public GitHub issues for security vulnerabilities.
+
+We aim to acknowledge reports within **2 business days**. Triage timing is severity-based and follows the SLA table below.
+
+## Triage and Remediation SLA
+
+We triage all code-scanning, dependency-vulnerability, and externally-reported findings against the following SLA:
 
-We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
+| Severity | Triage SLA | Remediation SLA |
+|---|---|---|
+| Critical | 1 business day | 7 calendar days |
+| High | 3 business days | 30 calendar days |
+| Medium | 5 business days | 90 calendar days |
+| Low / Note | Best effort | Best effort |
 
-### How to Report
+### Disposition Categories
 
-1. **Do NOT** open a public GitHub issue for security vulnerabilities
-2. **Preferred**: Use [GitHub Security Advisories](https://github.com/rocketride-org/rocketride-server/security/advisories/new) to report privately through GitHub
-3. **Alternative**: Email security concerns to: security@rocketride.ai
-4. Include as much detail as possible:
-   - Description of the vulnerability
-   - Steps to reproduce
-   - Potential impact
-   - Suggested fix (if any)
+Each finding is closed with one of:
 
-### What to Expect
+- **Fixed** — patch landed; alert auto-closes on next scan
+- **Mitigated** — compensating control documented in the dismissal reason; alert dismissed as "won't fix"
+- **False positive** — alert dismissed as "false positive" with brief explanation
+- **Accepted risk** — alert dismissed as "won't fix" with documented owner and re-evaluation date
 
-- **Acknowledgment**: Within 48 hours
-- **Initial Assessment**: Within 5 business days
-- **Resolution Timeline**: Depends on severity
-  - Critical: 1-7 days
-  - High: 7-30 days
-  - Medium: 30-90 days
-  - Low: Next release cycle
+## Tools and Coverage
 
-### Disclosure Policy
+| Tool | Coverage |
+|---|---|
+| **CodeQL** | Python, JavaScript/TypeScript |
+| **Scorecard** | Supply-chain best practices |
+| **Trivy** | Dockerfile config + dependency CVEs |
+| **Dependabot** | Dependency vulnerabilities |
+| **GitHub Secret Scanning + Push Protection** | Credential leak prevention |
 
-- We will coordinate disclosure with you
-- We request a 90-day disclosure window for non-critical issues
-- We will credit reporters (unless anonymity is requested)
+Tool configuration, cadence, and exact workflow names are maintained in `.github/workflows/` and the repository's security settings — refer to those as the source of truth.
 
-## Security Best Practices
+## Branch Protection (`develop`)
 
-When using RocketRide Engine:
+- All changes land via pull request
+- At least 1 code-owner approval required (per `CODEOWNERS`)
+- All required CI and security-scanning status checks (as configured in branch protection settings) must pass
+- Force-pushes disallowed
+- Branch deletion disallowed
+- Linear history enforced
+- Stale reviews dismissed on new pushes
+- **Admin bypass disabled** — protection rule applies to all users including org owners
+
+## Access Reviews
+
+Access to this repository is reviewed **quarterly** by an org owner. The review covers:
+
+1. All members of `rocketride-org`
+2. All outside collaborators with any permission level
+3. All org owners and their continuing need for that role
+4. 2FA compliance across the org
+
+Reviews are documented internally with disposition for each non-employee or elevated-access user.
+
+## Supported Versions
 
-1. **Keep Updated**: Always use the latest version
-2. **Credentials**: Never commit credentials or secrets
-3. **Dependencies**: Regularly update dependencies
-4. **Access Control**: Implement proper access controls
-5. **Encryption**: Use encryption for sensitive data
+| Version | Supported |
+|---|---|
+| 3.1.x | ✅ |
+| < 3.1 | ❌ |
 
-## Security Features
+Critical-severity issues in unsupported versions are evaluated case-by-case.
 
-RocketRide Engine includes several security features:
+## Public Vulnerability Disclosure
 
-- **Encryption**: Support for data encryption at rest and in transit
-- **Authentication**: Configurable authentication mechanisms
-- **Keystore**: Secure key management
-- **Audit Logging**: Comprehensive activity logging
+After remediation lands in a supported version, we publish an advisory at:
+https://github.com/rocketride-org/rocketride-server/security/advisories
 
-Thank you for helping keep RocketRide Engine secure!
+Reporters are credited unless they request otherwise.