From 4dad042e9b5d269aec6c40b8225851fca1a9d618 Mon Sep 17 00:00:00 2001 From: documentation-specialist Date: Wed, 6 May 2026 18:40:13 -0700 Subject: [PATCH] =?UTF-8?q?docs(security):=20add=20org-wide=20SECURITY.md?= =?UTF-8?q?=20=E2=80=94=20security@moleculesai.app,=2048h=20ack,=2090d=20c?= =?UTF-8?q?oordinated=20disclosure?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit First org-wide `SECURITY.md`. GitHub renders `/.github/SECURITY.md` as the default security policy for any repo in the org that doesn't ship its own; mirroring the path on Gitea now. ## In-scope - **Reporting** — security@moleculesai.app (placeholder, FLAG FOR HONGMING to confirm the live mailbox/forwarding is set before merging). - **Response SLAs** — 48h ack on initial email, 5 business days for first triage with severity, up to 90 days coordinated disclosure. - **Scope in/out** — explicit. Platform repos + hosted SaaS in; upstream-already-disclosed deps out, self-XSS out, scanner-output out, volume-DoS out. - **Non-security issues route** — git.moleculesai.app/molecule-ai/internal, not GitHub (post-suspension reality, parallel to CONTRIBUTING.md). ## NOT-claimed (explicit) - No bug bounty program — reports welcome but no monetary reward. - No legal safe-harbour beyond what the file states; good-faith research consistent with this policy will not be the basis of action. ## Length 39 lines (orchestrator target was ~40). Stayed at the target because SLA + scope + email are the load-bearing pieces and the rest is conventional. ## Independent of PR-A (`CONTRIBUTING.md` #2) — opened separately as instructed; not stacked on the same branch. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- SECURITY.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..2cbc972 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,53 @@ +# Security Policy + +Thanks for taking the time to disclose responsibly. This file is the org-wide default for any repo under [`Molecule-AI`](https://git.moleculesai.app/molecule-ai) that doesn't ship its own `SECURITY.md`. + +## Reporting a vulnerability + +**Email**: `security@moleculesai.app` + +> Reviewer note: this address is a placeholder. Confirm the live mailbox / forwarding rule is in place before merging this file. + +Please include, where possible: + +- the affected repo + commit SHA (or the deployed surface) +- a minimal reproduction +- the impact you're worried about (data exposure, RCE, auth bypass, …) +- whether you've shared the report with anyone else + +Do **not** file public issues for security reports — the issue tracker is publicly readable. If email isn't an option, ask via a non-public channel and we'll set one up. + +## What to expect + +- **Acknowledgement within 48 hours** of your initial email (business days; weekends and US holidays may add 1–2 days). +- A first triage with severity assessment within **5 business days**. +- A coordinated-disclosure window of **up to 90 days** from initial report — we aim to ship a fix sooner, and will keep you in the loop on the timeline. +- A credit in the fix's release notes if you'd like one (and a no-credit option if you don't). + +## Scope + +**In scope:** + +- The platform repos: [`molecule-core`](https://git.moleculesai.app/molecule-ai/molecule-core), [`molecule-controlplane`](https://git.moleculesai.app/molecule-ai/molecule-controlplane). +- The hosted product at [`moleculesai.app`](https://moleculesai.app), including any `*.moleculesai.app` tenant subdomain. +- The official adapter packages: [`molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel), [`molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime), and the `molecule-ai-workspace-template-*` repos. + +**Out of scope:** + +- Vulnerabilities in third-party dependencies that have already been disclosed upstream — file with the upstream project; we'll consume the fix. +- Self-XSS, CSRF on unauthenticated read-only endpoints, missing security headers without a demonstrated impact, automated-scanner output without a working PoC. +- Issues that require physical access to a user's device, social engineering of our team, or a fully-compromised browser/OS. +- Denial of service via volume / rate (we have load-shedding; report something exploitable, not "I sent a million requests"). + +## What we do NOT offer + +- **No bug bounty program.** Reports are still very welcome — we'll credit and (when warranted) send swag, but there's no monetary reward. +- **No safe-harbour legal language beyond what this file states.** Good-faith research conducted in line with this policy will not be the basis of action by us; we cannot speak for third-party infrastructure. + +## Non-security issues + +For bugs, feature requests, and general questions, file at [`git.moleculesai.app/molecule-ai/internal/issues`](https://git.moleculesai.app/molecule-ai/internal/issues) (or on the specific repo if it's repo-scoped). The GitHub mirror at [`github.com/Molecule-AI`](https://github.com/Molecule-AI) is read-only for the open-source surface as of 2026-05-06. + +--- + +Last updated: 2026-05-06. -- 2.45.2