docs: consolidate security policy to canonical website URL#10559
Merged
dgarske merged 3 commits intoJul 10, 2026
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR consolidates the repository’s coordinated vulnerability disclosure policy by removing the redundant in-repo policy document and pointing GitHub’s Security tab content to the canonical policy hosted on wolfssl.com.
Changes:
- Delete
SECURITY-POLICY.md(policy content no longer duplicated in-repo). - Update
.github/SECURITY.mdto include contact + PGP fingerprint and link to the canonical vulnerability disclosure policy URL. - Keep the vulnerability report template reference and CVE-submission direction via
SECURITY-REPORT-TEMPLATE.md.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
SECURITY-POLICY.md |
Removes the duplicated in-repo security policy document. |
.github/SECURITY.md |
Updates GitHub Security tab guidance to point to the canonical website policy and retains reporting details (contact, PGP fingerprint, template link). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Replace inline SECURITY-POLICY.md with a thin pointer in .github/SECURITY.md to the canonical policy at wolfssl.com/.well-known/vulnerability-disclosure-policy.txt. Keeps PGP key, contact info, and report template reference. Removes SECURITY-POLICY.md (now redundant).
Per Chris Conlon, secure@ is the existing alias for inbound security reports. support@ is the general support inbox. Aligns with the canonical /.well-known/security.txt and vulnerability-disclosure-policy.txt.
8cde47d to
fe70129
Compare
dgarske
requested changes
Jun 10, 2026
Address review feedback (dgarske): - Restore SECURITY-POLICY.md instead of deleting it. The full policy (severity rubric, scope, coordinated disclosure, credit) stays in-repo; the canonical website URL is now presented as a mirror of it, not a replacement, so other repos can still reference one copy. - SECURITY.md: prefer support@wolfssl.com, offer secure@wolfssl.com with the PGP key as an option, and drop the phone number. - Restore the mandatory report-template requirement and the "keep the vulnerability private until a fix is released" guidance, resolving the contradiction between the intro and the template section.
dgarske
approved these changes
Jul 10, 2026
Member
|
Jenkins retest this please |
danielinux
approved these changes
Jul 10, 2026
danielinux
left a comment
Member
There was a problem hiding this comment.
The changes are OK (although the description of the PR does not match)
Member
|
@MarkAtwood please rebase so it can be merged |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
coordinated vulnerability disclosure policy at
https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt
in
.github/SECURITY.md(what GitHub shows on the Security tab)SECURITY-POLICY.md(now redundant — canonical policy lives onthe website)
secure@wolfssl.com, consistent with the canonicalpolicy and Chris Conlon's note (2026-06-01) that
secure@is theexisting alias for inbound security reports
The website policy is the single source of truth, maintained for CRA
compliance. The report template (
SECURITY-REPORT-TEMPLATE.md) isunchanged.