Security policy improvements

[EVDOG4LIFE]

What does this PR do?

(Provide a description of what this PR does.)

Test Plan

(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work.)

Related PRs and Issues

(If this PR is related to any other PR or resolves any issue or related to any issue link all related PR and issues here.)

Have you read the Contributing Guidelines on issues?

(Write your answer here.)

Summary by CodeRabbit

• Documentation
  • Reworked security guidance to add a Supported Versions section and clarify which releases receive security fixes.
  • Added a comprehensive Responsible Disclosure Policy covering how to report issues, in-scope/out-of-scope definitions, safe-harbor terms, reporting format, recognition, duplicate handling, and public-disclosure expectations.

[coderabbitai]

Walkthrough

This pull request updates the SECURITY.md file by restructuring the vulnerability reporting section into a "Supported Versions" table and adding a comprehensive Responsible Disclosure Policy. The new policy includes multiple subsections covering contact information, in-scope/out-of-scope vulnerabilities, safe harbor provisions, reporting format requirements, recognition procedures, duplicate handling, public disclosure timelines, and prohibited actions. The original security contact ([email protected]) is retained while expanding the overall security policy documentation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Verify the "Supported Versions" table accurately reflects current version support status
• Ensure the Responsible Disclosure Policy is comprehensive and clearly differentiates in-scope vs. out-of-scope vulnerability types
• Confirm contact information ([email protected]) and any referenced processes are correct
• Check that all subsections are properly formatted and headings are consistent
• Validate that the safe harbor clause and prohibited actions are appropriate for the organization's security posture

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Security policy improvements' directly aligns with the main change—replacing and enhancing the SECURITY.md file with a comprehensive Responsible Disclosure Policy and version support matrix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch EVDOG4LIFE-patch-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

SECURITY.md (1)

87-87: Consider simplifying "mutual agreement" for conciseness.

The phrase "mutual agreement" is flagged as potentially wordy. Consider a more concise alternative like "negotiated" or "arranged."

-Please wait until either the fix is live or 90 days have passed since our acknowledgment, whichever comes first, before publishing details. Extensions can be arranged by mutual agreement.
+Please wait until either the fix is live or 90 days have passed since our acknowledgment, whichever comes first, before publishing details. Extensions can be negotiated.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4a4b315 and f4b2f96.

📒 Files selected for processing (1)

• SECURITY.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

SECURITY.md

[style] ~87-~87: ‘mutual agreement’ might be wordy. Consider a shorter alternative.
Context: ... details. Extensions can be arranged by mutual agreement. --- ## Prohibited Actions * Social ...

(EN_WORDINESS_PREMIUM_MUTUAL_AGREEMENT)

🪛 markdownlint-cli2 (0.18.1)

SECURITY.md

22-22: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (1)

SECURITY.md (1)

5-14: Verify the supported versions table is current and complete.

The versions table has been updated from the previous version, addressing the earlier feedback. However, verify that all currently supported versions are included and that any EOL (end-of-life) versions are correctly marked as unsupported. Confirm that there are no recent releases (post-1.6.x) that should be added to the table.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

SECURITY.md (1)

24-24: Fix markdown linting error: format email address with backticks.

Line 24 contains a bare email address that violates the markdown no-bare-urls rule (MD034). This issue was flagged in a previous review and still requires correction.

Apply this diff:

-We only accept **email** reports. Please use this address for all vulnerability reports: [email protected]  
+We only accept **email** reports. Please use this address for all vulnerability reports: `[email protected]`

🧹 Nitpick comments (1)

SECURITY.md (1)

87-90: Consider simplifying "mutual agreement" language.

Line 89 uses "mutual agreement," which is flagged as unnecessarily wordy. Consider a shorter alternative for conciseness.

Suggested revision:

-Please wait until either the fix is live or 90 days have passed since our acknowledgment, whichever comes first, before publishing details. Extensions can be arranged by mutual agreement.
+Please wait until either the fix is live or 90 days have passed since our acknowledgment, whichever comes first, before publishing details. Extensions are negotiable.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f4b2f96 and 9e0db53.

📒 Files selected for processing (1)

• SECURITY.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

SECURITY.md

[style] ~89-~89: ‘mutual agreement’ might be wordy. Consider a shorter alternative.
Context: ... details. Extensions can be arranged by mutual agreement. --- ## Prohibited Actions * Social ...

(EN_WORDINESS_PREMIUM_MUTUAL_AGREEMENT)

🪛 markdownlint-cli2 (0.18.1)

SECURITY.md

24-24: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (2)

SECURITY.md (2)

3-16: Supported Versions table provides clear version support matrix.

The newly added Supported Versions table (lines 3-16) effectively communicates support status for versions 0.15.x through 1.8.x, addressing the prior feedback that newer versions were needed. The table is well-formatted and uses clear visual indicators.

---

18-102: Responsible Disclosure Policy is comprehensive and well-structured.

The new policy section includes all essential elements for security researchers: clear contact instructions, in-scope/out-of-scope definitions, safe harbor provisions, reporting guidelines, recognition terms, duplicate handling, disclosure timelines, and prohibited actions. The layout with horizontal rules between sections enhances readability. The policy appropriately balances security with researcher protections.