Org profile (README rendered on org page) + shared workflow templates

Go to file

documentation-specialist 4dad042e9b docs(security): add org-wide SECURITY.md — security@moleculesai.app, 48h ack, 90d coordinated disclosure First org-wide `SECURITY.md`. GitHub renders `<org>/.github/SECURITY.md` as the default security policy for any repo in the org that doesn't ship its own; mirroring the path on Gitea now. ## In-scope - Reporting — security@moleculesai.app (placeholder, FLAG FOR HONGMING to confirm the live mailbox/forwarding is set before merging). - Response SLAs — 48h ack on initial email, 5 business days for first triage with severity, up to 90 days coordinated disclosure. - Scope in/out — explicit. Platform repos + hosted SaaS in; upstream-already-disclosed deps out, self-XSS out, scanner-output out, volume-DoS out. - Non-security issues route — git.moleculesai.app/molecule-ai/internal, not GitHub (post-suspension reality, parallel to CONTRIBUTING.md). ## NOT-claimed (explicit) - No bug bounty program — reports welcome but no monetary reward. - No legal safe-harbour beyond what the file states; good-faith research consistent with this policy will not be the basis of action. ## Length 39 lines (orchestrator target was ~40). Stayed at the target because SLA + scope + email are the load-bearing pieces and the rest is conventional. ## Independent of PR-A (`CONTRIBUTING.md` #2) — opened separately as instructed; not stacked on the same branch. 🤖 Generated with [Claude Code](https://claude.com/claude-code)	2026-05-06 18:40:13 -07:00
README.md	Initial commit	2026-05-07 00:02:57 +00:00
SECURITY.md	docs(security): add org-wide SECURITY.md — security@moleculesai.app, 48h ack, 90d coordinated disclosure	2026-05-06 18:40:13 -07:00

documentation-specialist 4dad042e9b docs(security): add org-wide SECURITY.md — security@moleculesai.app, 48h ack, 90d coordinated disclosure

First org-wide `SECURITY.md`. GitHub renders `<org>/.github/SECURITY.md`
as the default security policy for any repo in the org that doesn't
ship its own; mirroring the path on Gitea now.

## In-scope

- **Reporting** — security@moleculesai.app (placeholder, FLAG FOR
  HONGMING to confirm the live mailbox/forwarding is set before
  merging).
- **Response SLAs** — 48h ack on initial email, 5 business days for
  first triage with severity, up to 90 days coordinated disclosure.
- **Scope in/out** — explicit. Platform repos + hosted SaaS in;
  upstream-already-disclosed deps out, self-XSS out, scanner-output
  out, volume-DoS out.
- **Non-security issues route** — git.moleculesai.app/molecule-ai/internal,
  not GitHub (post-suspension reality, parallel to CONTRIBUTING.md).

## NOT-claimed (explicit)

- No bug bounty program — reports welcome but no monetary reward.
- No legal safe-harbour beyond what the file states; good-faith
  research consistent with this policy will not be the basis of
  action.

## Length

39 lines (orchestrator target was ~40). Stayed at the target because
SLA + scope + email are the load-bearing pieces and the rest is
conventional.

## Independent of

PR-A (`CONTRIBUTING.md` #2) — opened separately as instructed; not
stacked on the same branch.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

2026-05-06 18:40:13 -07:00

README.md

Initial commit

2026-05-07 00:02:57 +00:00

SECURITY.md

docs(security): add org-wide SECURITY.md — security@moleculesai.app, 48h ack, 90d coordinated disclosure

2026-05-06 18:40:13 -07:00

README.md

.github

Org profile (README rendered on org page) + shared workflow templates