added SECURITY.md

[jonathanMLDev]

close #30

Summary by CodeRabbit

• Documentation
  • Added a security policy describing supported release/branch guidance, private vulnerability reporting channels and encrypted-report instructions, required report contents (impact, reproduction/PoC, affected commits/versions, mitigation), expected acknowledgement (within 5 business days) and resolution/status-update timelines (90 days), CVE handling for confirmed user-impacting issues, and clarified in-scope (e.g., container escape, secret exposure, path traversal, supply-chain, privilege escalation) and out-of-scope vulnerability types.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f46e804e-e9ae-4dbe-a304-06efc0b493d3

📥 Commits

Reviewing files that changed from the base of the PR and between 2c6054e and b1244ae.

📒 Files selected for processing (1)

• SECURITY.md

✅ Files skipped from review due to trivial changes (1)

• SECURITY.md

---

📝 Walkthrough

Walkthrough

A SECURITY.md file is added describing supported-release handling (pre-release, fixes on latest develop until v0.1.0 tag), a private vulnerability reporting path (GitHub or will@cppalliance.org with optional PGP/secure channel), required report contents, acknowledgement/resolution timelines, and in-scope/out-of-scope vulnerability categories.

Changes

Security Policy Addition

Layer / File(s)	Summary
Supported Versions SECURITY.md (lines 1–12)	Declares pre-release status with no tagged stable releases yet, notes pyproject.toml references 0.1.0 but fixes are provided only for the latest develop commit until a v0.1.0 tag is created.
Reporting a Vulnerability SECURITY.md (lines 13–35)	Adds directive not to open public issues; instructs using GitHub private vulnerability reporting or will@cppalliance.org; optional encrypted reporting via PGP/secure channel; lists required report contents; sets acknowledgement within 5 business days and resolution/status update within 90 days; describes CVE request via GitHub CNA for confirmed user-impacting issues.
Scope (In-Scope) SECURITY.md (lines 36–49)	Defines in-scope vulnerability classes: container escape, token/secret exposure, path traversal, dependency confusion/supply-chain, and privilege escalation; notes external prerequisites (act runner/Docker Engine) should be reported upstream unless triggered by Local CI orchestration.
Out of Scope SECURITY.md (lines 50–55)	Lists out-of-scope items: non-amplified third-party dependency issues, resource exhaustion/crashes without privilege escalation/sandbox escape/data exfiltration, and theoretical vulnerabilities lacking realistic attack scenarios.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A quiet badge for safety grown,
A private path to tell what's known,
Send a note with PGP and care,
I’ll hop and patch what lurks in there—
Secure the gate, keep code well sown.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and directly summarizes the primary change: adding a SECURITY.md file to the repository.
Linked Issues check	✅ Passed	All coding requirements from issue #30 are met: SECURITY.md created at repo root, supported versions documented, vulnerability reporting paths provided, and scope clarification included.
Out of Scope Changes check	✅ Passed	All changes are directly related to the SECURITY.md file creation requirement in issue #30, with no extraneous modifications to other files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}