molecule-ai/.github
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(security): org-wide SECURITY.md — responsible disclosure to security@moleculesai.app, 48h ack, 90d coordinated #3

Merged
claude-ceo-assistant merged 1 commits from docs/security-md-2026-05-06 into main 2026-05-07 11:20:44 +00:00
Conversation 0 Commits 1 Files Changed 1 +53
claude-ceo-assistant commented 2026-05-07 01:40:29 +00:00
Owner
Copy Link

First org-wide SECURITY.md. GitHub renders <org>/.github/SECURITY.md as the default security policy for any repo in the org that doesn't ship its own; mirroring the path on Gitea so once GitHub access is restored and repo-sync activates, it lands in the right place automatically.

In-scope

  • Reporting: security@moleculesai.app. Reviewer note (load-bearing): this address is a placeholder — please confirm the live mailbox / forwarding rule is in place before merging. The body of the file flags this in plain text too.
  • Response SLAs: 48h ack on initial email, 5 business days first triage + severity, up to 90d coordinated disclosure.
  • Scope in/out: explicit. Platform repos + hosted SaaS in; upstream-already-disclosed deps out, self-XSS out, scanner-output-without-PoC out, volume-DoS out.
  • Non-security issues route: git.moleculesai.app/molecule-ai/internal (parallel to CONTRIBUTING.md PR-A).

NOT-claimed (explicit)

  • No bug bounty program — reports welcome but no monetary reward.
  • No legal safe-harbour beyond what the file states.

Matches the orchestrator spec ("don't claim features we don't have").

Length

53 lines. Target was ~40; 13 lines over because the explicit reviewer-note + scope-out enumeration + the no-bounty/no-safe-harbour callouts add real signal. Trim if you want — flag the lines.

Independent of

PR-A (CONTRIBUTING.md #2) — separate branch, not stacked.

🤖 Generated with Claude Code

First org-wide `SECURITY.md`. GitHub renders `<org>/.github/SECURITY.md` as the default security policy for any repo in the org that doesn't ship its own; mirroring the path on Gitea so once GitHub access is restored and repo-sync activates, it lands in the right place automatically. ## In-scope - **Reporting**: `security@moleculesai.app`. **Reviewer note (load-bearing): this address is a placeholder — please confirm the live mailbox / forwarding rule is in place before merging.** The body of the file flags this in plain text too. - **Response SLAs**: 48h ack on initial email, 5 business days first triage + severity, up to 90d coordinated disclosure. - **Scope in/out**: explicit. Platform repos + hosted SaaS in; upstream-already-disclosed deps out, self-XSS out, scanner-output-without-PoC out, volume-DoS out. - **Non-security issues route**: `git.moleculesai.app/molecule-ai/internal` (parallel to `CONTRIBUTING.md` PR-A). ## NOT-claimed (explicit) - No bug bounty program — reports welcome but no monetary reward. - No legal safe-harbour beyond what the file states. Matches the orchestrator spec ("don't claim features we don't have"). ## Length 53 lines. Target was ~40; 13 lines over because the explicit reviewer-note + scope-out enumeration + the no-bounty/no-safe-harbour callouts add real signal. Trim if you want — flag the lines. ## Independent of PR-A (`CONTRIBUTING.md` #2) — separate branch, not stacked. 🤖 Generated with Claude Code
claude-ceo-assistant added 1 commit 2026-05-07 01:40:29 +00:00 
First org-wide `SECURITY.md`. GitHub renders `<org>/.github/SECURITY.md`
as the default security policy for any repo in the org that doesn't
ship its own; mirroring the path on Gitea now.

## In-scope

- **Reporting** — security@moleculesai.app (placeholder, FLAG FOR
  HONGMING to confirm the live mailbox/forwarding is set before
  merging).
- **Response SLAs** — 48h ack on initial email, 5 business days for
  first triage with severity, up to 90 days coordinated disclosure.
- **Scope in/out** — explicit. Platform repos + hosted SaaS in;
  upstream-already-disclosed deps out, self-XSS out, scanner-output
  out, volume-DoS out.
- **Non-security issues route** — git.moleculesai.app/molecule-ai/internal,
  not GitHub (post-suspension reality, parallel to CONTRIBUTING.md).

## NOT-claimed (explicit)

- No bug bounty program — reports welcome but no monetary reward.
- No legal safe-harbour beyond what the file states; good-faith
  research consistent with this policy will not be the basis of
  action.

## Length

39 lines (orchestrator target was ~40). Stayed at the target because
SLA + scope + email are the load-bearing pieces and the rest is
conventional.

## Independent of

PR-A (`CONTRIBUTING.md` #2) — opened separately as instructed; not
stacked on the same branch.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
hongming was assigned by claude-ceo-assistant 2026-05-07 10:29:25 +00:00
Ghost approved these changes 2026-05-07 11:20:42 +00:00
Ghost left a comment
First-time contributor
Copy Link

Hongming-confirmed (chat 2026-05-07): security@moleculesai.app Google Workspace group created + tested + members Hongming+Cui receiving inbound. Reviewer-note placeholder is now real. Merge.

Hongming-confirmed (chat 2026-05-07): security@moleculesai.app Google Workspace group created + tested + members Hongming+Cui receiving inbound. Reviewer-note placeholder is now real. Merge.
claude-ceo-assistant merged commit 1cb18db901 into main 2026-05-07 11:20:44 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Ghost
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
hongming
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/.github#3
No description provided.
Delete Branch "docs/security-md-2026-05-06"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?