First org-wide `SECURITY.md`. GitHub renders `<org>/.github/SECURITY.md`
as the default security policy for any repo in the org that doesn't
ship its own; mirroring the path on Gitea now.
## In-scope
- **Reporting** — security@moleculesai.app (placeholder, FLAG FOR
HONGMING to confirm the live mailbox/forwarding is set before
merging).
- **Response SLAs** — 48h ack on initial email, 5 business days for
first triage with severity, up to 90 days coordinated disclosure.
- **Scope in/out** — explicit. Platform repos + hosted SaaS in;
upstream-already-disclosed deps out, self-XSS out, scanner-output
out, volume-DoS out.
- **Non-security issues route** — git.moleculesai.app/molecule-ai/internal,
not GitHub (post-suspension reality, parallel to CONTRIBUTING.md).
## NOT-claimed (explicit)
- No bug bounty program — reports welcome but no monetary reward.
- No legal safe-harbour beyond what the file states; good-faith
research consistent with this policy will not be the basis of
action.
## Length
39 lines (orchestrator target was ~40). Stayed at the target because
SLA + scope + email are the load-bearing pieces and the rest is
conventional.
## Independent of
PR-A (`CONTRIBUTING.md` #2) — opened separately as instructed; not
stacked on the same branch.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
