You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A library declaring 1.0 stable API takes on a public security-
response obligation. #687 (GA Epic) does not list a CVE intake
process, a PSIRT (Product Security Incident Response Team)
activation, or a documented support-window for 1.x.
Without these:
Downstream embedders cannot file a CVE responsibly (no
intake address, no PGP key for encrypted disclosure).
The wirelog project cannot triage incoming reports
consistently.
"How long is 1.x supported" is undefined; CVE backports
have no scope.
Scope
PSIRT contact:
Designate a security contact email (e.g., security@cleverplant.com or a project-mailbox).
Optional: publish a project PGP key for encrypted
disclosure.
CVE intake process:
Document the disclosure timeline in SECURITY.md:
acknowledgement window, fix window, public-disclosure
window.
Establish CVE-ID requesting (via GitHub's CNA, or
cve.mitre.org).
1.x support window:
Declare the duration: e.g., 1.x supported for 18 months
after 1.0 GA (or 12 months after 2.0 GA, whichever
later). Document in docs/SUPPORT_POLICY.md (new) or
extend README.md.
Define what "supported" means: bug fixes, CVE backports,
no new features.
Define LTS designation if any (e.g., 1.0.x is LTS
through 2026-12).
Acceptance
SECURITY.md documents the PSIRT contact, the disclosure
procedure, and the supported version table.
docs/SUPPORT_POLICY.md (or equivalent) declares the 1.x
support window.
README.md's supported-versions table cross-links the
policy.
Why (block)
A library declaring 1.0 stable API takes on a public security-
response obligation. #687 (GA Epic) does not list a CVE intake
process, a PSIRT (Product Security Incident Response Team)
activation, or a documented support-window for 1.x.
Without these:
intake address, no PGP key for encrypted disclosure).
consistently.
have no scope.
Scope
security@cleverplant.comor a project-mailbox).SECURITY.md(cross-ref Blocker B11: SECURITY.md rewritten #698 B11).disclosure.
SECURITY.md:acknowledgement window, fix window, public-disclosure
window.
cve.mitre.org).
after 1.0 GA (or 12 months after 2.0 GA, whichever
later). Document in
docs/SUPPORT_POLICY.md(new) orextend
README.md.no new features.
through 2026-12).
Acceptance
SECURITY.mddocuments the PSIRT contact, the disclosureprocedure, and the supported version table.
docs/SUPPORT_POLICY.md(or equivalent) declares the 1.xsupport window.
README.md's supported-versions table cross-links thepolicy.
Cross-ref: #687, #698 B11, #684, #701.