Skip to content

fix issue 480; security.md#563

Merged
Junman140 merged 1 commit into
Pi-Defi-world:devfrom
Michvista:fixissue480
Jun 29, 2026
Merged

fix issue 480; security.md#563
Junman140 merged 1 commit into
Pi-Defi-world:devfrom
Michvista:fixissue480

Conversation

@Michvista

@Michvista Michvista commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Summary

fixed security.md
closes #480

Scope

  • Backend API behavior
  • Build/CI only
  • Docs only
  • Other

Validation

  • pnpm run build
  • pnpm test
  • pnpm lint

Links

  • Issue(s): #
  • Related PR(s): #

Summary by CodeRabbit

  • Documentation
    • Added a security policy with instructions for privately reporting vulnerabilities.
    • Included guidance on what details to provide, expected response timelines, and how issues will be handled confidentially.
    • Added safe-harbor guidance to help security researchers report issues responsibly.

@drips-wave

drips-wave Bot commented Jun 27, 2026

Copy link
Copy Markdown

@Michvista Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

A new SECURITY.md file is added to the repository root, establishing a security vulnerability disclosure policy for acbu-backend. It defines reporting channels, required report contents, response expectations, coordinated disclosure, and safe-harbor rules.

Changes

Security Policy

Layer / File(s) Summary
Vulnerability disclosure policy
SECURITY.md
Adds private reporting instructions (GitHub flow + fallback), required/optional report fields, handling and coordinated disclosure expectations, and safe-harbor prohibitions including guidance for accidental sensitive-data exposure.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops in, drops a scroll with care,
"Report bugs in private — it's only fair!"
No shouting in issues, no public display,
Just whisper the flaw and we'll fix it straightway.
🐇🔐

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Description check ⚠️ Warning The template is mostly followed, but the Links section still uses placeholders instead of actual issue/PR references. Replace the '#' placeholders with real relative references and add a slightly fuller summary of the SECURITY.md change.
Title check ❓ Inconclusive The title is related but too vague to clearly summarize the change. Use a concise title that names the SECURITY.md vulnerability disclosure policy, e.g. "Add SECURITY.md vulnerability disclosure policy".
✅ Passed checks (3 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The added SECURITY.md provides a private vulnerability reporting policy, matching issue #480's requirement.
Out of Scope Changes check ✅ Passed The PR only adds SECURITY.md content, which stays within the issue's documentation scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
SECURITY.md (1)

26-30: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add concrete response timeframes for acknowledgment and triage.

The response expectations are vague ("as soon as practical," "reasonable time"). Security researchers need predictable timelines to decide whether to escalate or disclose elsewhere. Standard practice is to specify:

  • Acknowledgment within 48-72 hours
  • Initial triage assessment within 5-7 business days
  • Target fix timeline based on severity

This aligns with coordinated disclosure best practices and sets clear expectations.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 26 - 30, The response expectations in SECURITY.md
are too vague; update the section to include concrete timelines for security
reports. Modify the wording near the response policy text to state an
acknowledgment window, an initial triage window, and a severity-based target fix
timeline so researchers have clear expectations.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 7-14: Add an explicit disclosure contact in SECURITY.md by
referencing the CODEOWNERS security team (`@Pi-Defi-world/security-team`) and a
dedicated contact method for external reports when GitHub private vulnerability
reporting is unavailable. Update the reporting guidance text to replace the
vague “repository maintainers” fallback with a clear security-team route, using
the security policy section as the place to locate and edit the disclosure
instructions.
- Around line 32-41: The Safe Harbor section in SECURITY.md needs to explicitly
state that good-faith security testing of this repository is authorized, define
the allowed scope by naming the in-scope systems/environments or endpoints, and
add a clear legal safe-harbor commitment that the project will not pursue legal
action against researchers who follow the policy. Update the existing Safe
Harbor text to keep the current prohibited activities while adding these missing
authorization and scope boundaries in the same section.

---

Nitpick comments:
In `@SECURITY.md`:
- Around line 26-30: The response expectations in SECURITY.md are too vague;
update the section to include concrete timelines for security reports. Modify
the wording near the response policy text to state an acknowledgment window, an
initial triage window, and a severity-based target fix timeline so researchers
have clear expectations.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a7d4ddaa-84fe-43c4-970c-376e7d947e53

📥 Commits

Reviewing files that changed from the base of the PR and between d6fa28a and 1137233.

📒 Files selected for processing (1)
  • SECURITY.md

Comment thread SECURITY.md
Comment on lines +7 to +14
Use GitHub's private vulnerability reporting for this repository:

- Go to the repository's **Security** tab
- Select **Report a vulnerability**
- Provide the details requested in the form

If private reporting is unavailable, contact the repository maintainers through GitHub as privately as possible and avoid posting exploit details publicly.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add explicit security team contact and reference the CODEOWNERS security team.

The current reporting instructions rely on GitHub's private vulnerability reporting and a vague fallback to "repository maintainers." Issue #480 requests a specific point of contact for external researchers. The CODEOWNERS file shows @Pi-Defi-world/security-team owns security-sensitive directories (prisma/, src/services/, src/controllers/, src/routes/), yet this team is not referenced in the disclosure policy.

Add an explicit mention of the security team and a dedicated contact method (e.g., security team email or GitHub team handle) to ensure researchers know where to route reports when GitHub private reporting is unavailable.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 7 - 14, Add an explicit disclosure contact in
SECURITY.md by referencing the CODEOWNERS security team
(`@Pi-Defi-world/security-team`) and a dedicated contact method for external
reports when GitHub private vulnerability reporting is unavailable. Update the
reporting guidance text to replace the vague “repository maintainers” fallback
with a clear security-team route, using the security policy section as the place
to locate and edit the disclosure instructions.

Comment thread SECURITY.md
Comment on lines +32 to +41
## Safe Harbor

We consider good-faith security research to be helpful. Please avoid:

- Accessing data you do not own or are not authorized to access
- Modifying or deleting data
- Disrupting service availability
- Exfiltrating secrets, credentials, or personal data

If you accidentally encounter sensitive information during testing, stop immediately and report it through the private channel above.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Expand safe harbor with explicit authorization and scope boundaries.

The current safe harbor lists prohibited activities but lacks:

  1. Explicit authorization statement: Researchers need confirmation that good-faith testing of this repository is permitted
  2. Scope definition: Clarify which systems, endpoints, or environments are in scope (e.g., production API, staging, specific domains)
  3. Legal safe harbor commitment: Explicit statement that the project will not pursue legal action against good-faith researchers who comply with this policy

Without these elements, researchers lack legal clarity, which discourages participation and undermines the policy's purpose.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 32 - 41, The Safe Harbor section in SECURITY.md
needs to explicitly state that good-faith security testing of this repository is
authorized, define the allowed scope by naming the in-scope systems/environments
or endpoints, and add a clear legal safe-harbor commitment that the project will
not pursue legal action against researchers who follow the policy. Update the
existing Safe Harbor text to keep the current prohibited activities while adding
these missing authorization and scope boundaries in the same section.

@Michvista

Copy link
Copy Markdown
Contributor Author

@Junman140 this one too sir

@Junman140 Junman140 merged commit 35aef59 into Pi-Defi-world:dev Jun 29, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

No SECURITY.md with vulnerability disclosure policy

2 participants