4dad042e9b
First org-wide `SECURITY.md`. GitHub renders `<org>/.github/SECURITY.md` as the default security policy for any repo in the org that doesn't ship its own; mirroring the path on Gitea now. ## In-scope - **Reporting** — security@moleculesai.app (placeholder, FLAG FOR HONGMING to confirm the live mailbox/forwarding is set before merging). - **Response SLAs** — 48h ack on initial email, 5 business days for first triage with severity, up to 90 days coordinated disclosure. - **Scope in/out** — explicit. Platform repos + hosted SaaS in; upstream-already-disclosed deps out, self-XSS out, scanner-output out, volume-DoS out. - **Non-security issues route** — git.moleculesai.app/molecule-ai/internal, not GitHub (post-suspension reality, parallel to CONTRIBUTING.md). ## NOT-claimed (explicit) - No bug bounty program — reports welcome but no monetary reward. - No legal safe-harbour beyond what the file states; good-faith research consistent with this policy will not be the basis of action. ## Length 39 lines (orchestrator target was ~40). Stayed at the target because SLA + scope + email are the load-bearing pieces and the rest is conventional. ## Independent of PR-A (`CONTRIBUTING.md` #2) — opened separately as instructed; not stacked on the same branch. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
3.2 KiB
3.2 KiB
Security Policy
Thanks for taking the time to disclose responsibly. This file is the org-wide default for any repo under Molecule-AI that doesn't ship its own SECURITY.md.
Reporting a vulnerability
Email: security@moleculesai.app
Reviewer note: this address is a placeholder. Confirm the live mailbox / forwarding rule is in place before merging this file.
Please include, where possible:
- the affected repo + commit SHA (or the deployed surface)
- a minimal reproduction
- the impact you're worried about (data exposure, RCE, auth bypass, …)
- whether you've shared the report with anyone else
Do not file public issues for security reports — the issue tracker is publicly readable. If email isn't an option, ask via a non-public channel and we'll set one up.
What to expect
- Acknowledgement within 48 hours of your initial email (business days; weekends and US holidays may add 1–2 days).
- A first triage with severity assessment within 5 business days.
- A coordinated-disclosure window of up to 90 days from initial report — we aim to ship a fix sooner, and will keep you in the loop on the timeline.
- A credit in the fix's release notes if you'd like one (and a no-credit option if you don't).
Scope
In scope:
- The platform repos:
molecule-core,molecule-controlplane. - The hosted product at
moleculesai.app, including any*.moleculesai.apptenant subdomain. - The official adapter packages:
molecule-mcp-claude-channel,molecule-ai-workspace-runtime, and themolecule-ai-workspace-template-*repos.
Out of scope:
- Vulnerabilities in third-party dependencies that have already been disclosed upstream — file with the upstream project; we'll consume the fix.
- Self-XSS, CSRF on unauthenticated read-only endpoints, missing security headers without a demonstrated impact, automated-scanner output without a working PoC.
- Issues that require physical access to a user's device, social engineering of our team, or a fully-compromised browser/OS.
- Denial of service via volume / rate (we have load-shedding; report something exploitable, not "I sent a million requests").
What we do NOT offer
- No bug bounty program. Reports are still very welcome — we'll credit and (when warranted) send swag, but there's no monetary reward.
- No safe-harbour legal language beyond what this file states. Good-faith research conducted in line with this policy will not be the basis of action by us; we cannot speak for third-party infrastructure.
Non-security issues
For bugs, feature requests, and general questions, file at git.moleculesai.app/molecule-ai/internal/issues (or on the specific repo if it's repo-scoped). The GitHub mirror at github.com/Molecule-AI is read-only for the open-source surface as of 2026-05-06.
Last updated: 2026-05-06.