molecule-ai/.github
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(security): add org-wide SECURITY.md — security@moleculesai.app, 48h ack, 90d coordinated disclosure

Browse Source 
First org-wide `SECURITY.md`. GitHub renders `<org>/.github/SECURITY.md`
as the default security policy for any repo in the org that doesn't
ship its own; mirroring the path on Gitea now.

## In-scope

- **Reporting** — security@moleculesai.app (placeholder, FLAG FOR
  HONGMING to confirm the live mailbox/forwarding is set before
  merging).
- **Response SLAs** — 48h ack on initial email, 5 business days for
  first triage with severity, up to 90 days coordinated disclosure.
- **Scope in/out** — explicit. Platform repos + hosted SaaS in;
  upstream-already-disclosed deps out, self-XSS out, scanner-output
  out, volume-DoS out.
- **Non-security issues route** — git.moleculesai.app/molecule-ai/internal,
  not GitHub (post-suspension reality, parallel to CONTRIBUTING.md).

## NOT-claimed (explicit)

- No bug bounty program — reports welcome but no monetary reward.
- No legal safe-harbour beyond what the file states; good-faith
  research consistent with this policy will not be the basis of
  action.

## Length

39 lines (orchestrator target was ~40). Stayed at the target because
SLA + scope + email are the load-bearing pieces and the rest is
conventional.

## Independent of

PR-A (`CONTRIBUTING.md` #2) — opened separately as instructed; not
stacked on the same branch.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
This commit is contained in:
documentation-specialist 2026-05-06 18:40:13 -07:00
parent 7ca052db24
commit 4dad042e9b
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
SECURITY.md Normal file
View File

@ -0,0 +1,53 @@
# Security Policy
Thanks for taking the time to disclose responsibly. This file is the org-wide default for any repo under [`Molecule-AI`](https://git.moleculesai.app/molecule-ai) that doesn't ship its own `SECURITY.md`.
## Reporting a vulnerability
**Email**: `security@moleculesai.app`
> Reviewer note: this address is a placeholder. Confirm the live mailbox / forwarding rule is in place before merging this file.
Please include, where possible:
- the affected repo + commit SHA (or the deployed surface)
- a minimal reproduction
- the impact you're worried about (data exposure, RCE, auth bypass, …)
- whether you've shared the report with anyone else
Do **not** file public issues for security reports — the issue tracker is publicly readable. If email isn't an option, ask via a non-public channel and we'll set one up.
## What to expect
- **Acknowledgement within 48 hours** of your initial email (business days; weekends and US holidays may add 12 days).
- A first triage with severity assessment within **5 business days**.
- A coordinated-disclosure window of **up to 90 days** from initial report — we aim to ship a fix sooner, and will keep you in the loop on the timeline.
- A credit in the fix's release notes if you'd like one (and a no-credit option if you don't).
## Scope
**In scope:**
- The platform repos: [`molecule-core`](https://git.moleculesai.app/molecule-ai/molecule-core), [`molecule-controlplane`](https://git.moleculesai.app/molecule-ai/molecule-controlplane).
- The hosted product at [`moleculesai.app`](https://moleculesai.app), including any `*.moleculesai.app` tenant subdomain.
- The official adapter packages: [`molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel), [`molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime), and the `molecule-ai-workspace-template-*` repos.
**Out of scope:**
- Vulnerabilities in third-party dependencies that have already been disclosed upstream — file with the upstream project; we'll consume the fix.
- Self-XSS, CSRF on unauthenticated read-only endpoints, missing security headers without a demonstrated impact, automated-scanner output without a working PoC.
- Issues that require physical access to a user's device, social engineering of our team, or a fully-compromised browser/OS.
- Denial of service via volume / rate (we have load-shedding; report something exploitable, not "I sent a million requests").
## What we do NOT offer
- **No bug bounty program.** Reports are still very welcome — we'll credit and (when warranted) send swag, but there's no monetary reward.
- **No safe-harbour legal language beyond what this file states.** Good-faith research conducted in line with this policy will not be the basis of action by us; we cannot speak for third-party infrastructure.
## Non-security issues
For bugs, feature requests, and general questions, file at [`git.moleculesai.app/molecule-ai/internal/issues`](https://git.moleculesai.app/molecule-ai/internal/issues) (or on the specific repo if it's repo-scoped). The GitHub mirror at [`github.com/Molecule-AI`](https://github.com/Molecule-AI) is read-only for the open-source surface as of 2026-05-06.
---
Last updated: 2026-05-06.