Add security policy with bug bounty scope#27
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 251ffeac89
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
Adds a repository-level security policy to clarify bug bounty reporting and explicitly define what parts of this repo are in/out of scope, so reporters and maintainers can quickly triage recurring reports against CI/local tooling.
Changes:
- Introduces
SECURITY.mddescribing how to report vulnerabilities under Stellar’s bug bounty program. - Documents scope boundaries: published
stellar/stellar-cliDocker images are in scope; CI/build tooling is out of scope unless genuinely untrusted input can affect published artifacts or secrets.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Adds a
SECURITY.mdso reporters and triagers have a clear scope statement for the bug bounty program.It mirrors the stellar-core stub (bug bounty link), then documents that the published
stellar/stellar-cliDocker images are in scope while the build/release tooling (scripts/,.github/workflows/) is not — because that tooling runs only in CI or locally and never receives untrusted input (values come from reviewedbuilds.json, pinned actions, admin-set repo variables, or a maintainer's own CLI args).It calls out the specific finding classes this rules out — argument injection, path traversal via path flags, and crash-on-malformed-input — so recurring reports against the scripts can be closed by reference, while leaving the door open for genuinely untrusted input (e.g. a fork PR) reaching a script with real impact.