diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 89949b70..aa169dfe 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -222,7 +222,7 @@ Open a GitHub issue with: ## Security issues -Email security@tracecore.ai (or open a private security advisory on GitHub). Do not file public issues for vulnerabilities. +Open a private [GitHub Security Advisory](https://github.com/tracecoreai/tracecore/security/advisories/new). Do not file public issues for vulnerabilities. Full disclosure procedure in [SECURITY.md](SECURITY.md). ## License diff --git a/MILESTONES.md b/MILESTONES.md index c75c8075..8c1f2a2e 100644 --- a/MILESTONES.md +++ b/MILESTONES.md @@ -193,7 +193,7 @@ M20a/b/c are gates against the same artifact (`bench/install/run.sh`) at progres - Re-running `make release` on a clean checkout of the `v0.1.0` tag produces a `linux/amd64` binary byte-identical to the published asset; scheduled CI job verifies via `diffoscope`; P0 on breakage. (per PRINCIPLES §12) - Release workflow uses pinned action SHAs, requests only `id-token: write` and `contents: write`; `zizmor` + `actionlint` report zero findings. (per NORTHSTARS O3) - Published SBOM enumerates ≥1 `components[]` entry per direct module in `go.mod`; CI asserts `len(components) >= direct_dep_count`. (per NORTHSTARS O3) -- `SECURITY.md` referenced from release notes; canary email to `security@tracecore.ai` at release time confirms inbox responds within 2 business days or release is blocked. (per [`SECURITY.md`](SECURITY.md) L20 "Acknowledgement within 2 business days"; NORTHSTARS O3 7-day SLA refers to *initial assessment* per SECURITY.md L21 — same document, two distinct clocks; reconciliation to NORTHSTARS deferred.) +- `SECURITY.md` referenced from release notes; the GitHub Security Advisory inbox is verified enabled at release time (`gh api /repos/tracecoreai/tracecore/private-vulnerability-reporting` returns `{"enabled":true}`) and at least one `@TraceCoreAI/core` member is configured to receive advisory notifications. Release is blocked if either check fails. (per [`SECURITY.md`](SECURITY.md) "Disclosure channel"; NORTHSTARS O3 7-day SLA refers to *initial assessment* per SECURITY.md "What to expect" — same document, two distinct clocks; reconciliation to NORTHSTARS deferred.) --- diff --git a/SECURITY.md b/SECURITY.md index 408a48a6..00533249 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,9 +4,7 @@ If you believe you have found a security vulnerability in tracecore, please report it privately. **Do not open a public GitHub issue.** -Email: **security@tracecore.ai** - -Or open a private GitHub Security Advisory: https://github.com/tracecoreai/tracecore/security/advisories/new +**Disclosure channel:** open a private GitHub Security Advisory at . The advisory is visible only to the reporter and the `@TraceCoreAI/core` maintainers team; coordinated-disclosure discussion happens inside the advisory thread. Please include: @@ -22,7 +20,7 @@ Please include: - **Coordinated disclosure** with a default 90-day embargo from the date of acknowledgement, extendable by mutual agreement when a fix requires more time - A CVE will be requested for any vulnerability that affects deployed users -If you do not receive a response within 7 days, please re-send the report and CC `security-followup@tracecore.ai`. +If you do not receive an acknowledgement within 7 days, comment on your own advisory thread to ping the maintainers (the comment notifies the team) or open a follow-up advisory referencing the original. ## Scope @@ -36,7 +34,7 @@ Out of scope: - Third-party dependencies (please report upstream) - Customer deployments of tracecore that have been modified -- The proprietary synthesis engine (separate disclosure path; contact security@tracecore.ai for routing) +- The proprietary synthesis engine — file a separate private advisory at the same URL above and note in the title that it concerns the synthesis engine; it follows the same disclosure clock ## Safe harbor