molecule-ai/.github
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
.github/SECURITY.md
documentation-specialist 4dad042e9b docs(security): add org-wide SECURITY.md — security@moleculesai.app, 48h ack, 90d coordinated disclosure 
First org-wide `SECURITY.md`. GitHub renders `<org>/.github/SECURITY.md`
as the default security policy for any repo in the org that doesn't
ship its own; mirroring the path on Gitea now.

## In-scope

- **Reporting** — security@moleculesai.app (placeholder, FLAG FOR
  HONGMING to confirm the live mailbox/forwarding is set before
  merging).
- **Response SLAs** — 48h ack on initial email, 5 business days for
  first triage with severity, up to 90 days coordinated disclosure.
- **Scope in/out** — explicit. Platform repos + hosted SaaS in;
  upstream-already-disclosed deps out, self-XSS out, scanner-output
  out, volume-DoS out.
- **Non-security issues route** — git.moleculesai.app/molecule-ai/internal,
  not GitHub (post-suspension reality, parallel to CONTRIBUTING.md).

## NOT-claimed (explicit)

- No bug bounty program — reports welcome but no monetary reward.
- No legal safe-harbour beyond what the file states; good-faith
  research consistent with this policy will not be the basis of
  action.

## Length

39 lines (orchestrator target was ~40). Stayed at the target because
SLA + scope + email are the load-bearing pieces and the rest is
conventional.

## Independent of

PR-A (`CONTRIBUTING.md` #2) — opened separately as instructed; not
stacked on the same branch.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
2026-05-06 18:40:13 -07:00

54 lines
3.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Security Policy
Thanks for taking the time to disclose responsibly. This file is the org-wide default for any repo under [`Molecule-AI`](https://git.moleculesai.app/molecule-ai) that doesn't ship its own `SECURITY.md`.
## Reporting a vulnerability
**Email**: `security@moleculesai.app`
> Reviewer note: this address is a placeholder. Confirm the live mailbox / forwarding rule is in place before merging this file.
Please include, where possible:
- the affected repo + commit SHA (or the deployed surface)
- a minimal reproduction
- the impact you're worried about (data exposure, RCE, auth bypass, …)
- whether you've shared the report with anyone else
Do **not** file public issues for security reports — the issue tracker is publicly readable. If email isn't an option, ask via a non-public channel and we'll set one up.
## What to expect
- **Acknowledgement within 48 hours** of your initial email (business days; weekends and US holidays may add 12 days).
- A first triage with severity assessment within **5 business days**.
- A coordinated-disclosure window of **up to 90 days** from initial report — we aim to ship a fix sooner, and will keep you in the loop on the timeline.
- A credit in the fix's release notes if you'd like one (and a no-credit option if you don't).
## Scope
**In scope:**
- The platform repos: [`molecule-core`](https://git.moleculesai.app/molecule-ai/molecule-core), [`molecule-controlplane`](https://git.moleculesai.app/molecule-ai/molecule-controlplane).
- The hosted product at [`moleculesai.app`](https://moleculesai.app), including any `*.moleculesai.app` tenant subdomain.
- The official adapter packages: [`molecule-mcp-claude-channel`](https://git.moleculesai.app/molecule-ai/molecule-mcp-claude-channel), [`molecule-ai-workspace-runtime`](https://git.moleculesai.app/molecule-ai/molecule-ai-workspace-runtime), and the `molecule-ai-workspace-template-*` repos.
**Out of scope:**
- Vulnerabilities in third-party dependencies that have already been disclosed upstream — file with the upstream project; we'll consume the fix.
- Self-XSS, CSRF on unauthenticated read-only endpoints, missing security headers without a demonstrated impact, automated-scanner output without a working PoC.
- Issues that require physical access to a user's device, social engineering of our team, or a fully-compromised browser/OS.
- Denial of service via volume / rate (we have load-shedding; report something exploitable, not "I sent a million requests").
## What we do NOT offer
- **No bug bounty program.** Reports are still very welcome — we'll credit and (when warranted) send swag, but there's no monetary reward.
- **No safe-harbour legal language beyond what this file states.** Good-faith research conducted in line with this policy will not be the basis of action by us; we cannot speak for third-party infrastructure.
## Non-security issues
For bugs, feature requests, and general questions, file at [`git.moleculesai.app/molecule-ai/internal/issues`](https://git.moleculesai.app/molecule-ai/internal/issues) (or on the specific repo if it's repo-scoped). The GitHub mirror at [`github.com/Molecule-AI`](https://github.com/Molecule-AI) is read-only for the open-source surface as of 2026-05-06.
---
Last updated: 2026-05-06.
Reference in New Issue View Git Blame Copy Permalink