Skip to content

add SECURITY.md #765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Davidson-Souza merged 1 commit into from
Jan 10, 2026
Merged

add SECURITY.md #765

Davidson-Souza merged 1 commit into from
Jan 10, 2026
+13 −2

Conversation

@Edu92337
Copy link
Contributor

@Edu92337 Edu92337 commented Jan 8, 2026
edited
Loading

Description and Notes

This PR adds a minimal SECURITY.md file following the style of Bitcoin Core, LND, and rust-lightning.

Closes #763

The document provides essential security information:

  • Vulnerability Reporting: Email contact (security@getfloresta.org) with PGP key fingerprint for encrypted communication
  • PGP Key Import: Command to import Davidson Souza's PGP key for secure disclosure

This follows the minimal security policy style used by major Bitcoin projects (bitcoin/bitcoin, lightningnetwork/lnd, lightningdevkit/rust-lightning), keeping only essential information without unnecessary details.

How to verify the changes you have done?

  1. Check formatting: View the rendered markdown on GitHub
   # Or locally with a markdown viewer
   grip SECURITY.md

  1. Verify the PGP key link: https://blog.dlsouza.lol/assets/gpg.asc

  2. Test GPG import command:

   gpg --recv-keys "2C8E 0F83 6FD7 DBBB B9E9 B2EF 8996 4EC3 AB22 B2E3"

Contributor Checklist

  • I've followed the contribution guidelines
  • I've verified one of the following:
    • Confirmed CI passed on my fork (documentation-only change)
  • I've linked any related issue(s) in the sections above (Missing SECURITY.md #763)
  • All commits are GPG-signed

moisesPompilio
moisesPompilio reviewed Jan 8, 2026
View reviewed changes
Copy link
Collaborator

@moisesPompilio moisesPompilio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This SECURITY.md is too long and has too much unnecessary information. I think we need something like what bitcoin core does, here are some links to base it on: https://github.com/bitcoin/bitcoin?tab=security-ov-file#readme https://github.com/lightningdevkit/rust-lightning?tab=security-ov-fil https://github.com/lightningnetwork/lnd?tab=security-ov-file

@moisesPompilio moisesPompilio added the documentation Improvements or additions to documentation label Jan 8, 2026
@moisesPompilio moisesPompilio mentioned this pull request Jan 9, 2026
Closed
@moisesPompilio
Copy link
Collaborator

moisesPompilio commented Jan 9, 2026

Please squash the commits.

moisesPompilio
moisesPompilio reviewed Jan 9, 2026
View reviewed changes
qlrd
qlrd suggested changes Jan 9, 2026
View reviewed changes
@qlrd
Copy link
Collaborator

qlrd commented Jan 9, 2026

IMO, the security information in Contributing section at README.md should be removed too.

qlrd
qlrd suggested changes Jan 9, 2026
View reviewed changes
@moisesPompilio
Copy link
Collaborator

moisesPompilio commented Jan 9, 2026

IMO, the security information in Contributing section at README.md should be removed too.

I don't think we need to remove this information. Instead, we could change it to reference SECURITY.md. This would make it easier for users reading the README.md to know where to find the SECURITY.md file.

@luisschwab
Copy link
Member

luisschwab commented Jan 9, 2026

This SECURITY.md is too long and has too much unnecessary information.

Yes, KISS.

luisschwab
luisschwab reviewed Jan 9, 2026
View reviewed changes
Copy link
Member

@luisschwab luisschwab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, the security email is being switched. See PR #764 and https://github.com/Davidson-Souza/Floresta/blob/07017a32c71d7597548ab0e9edd0daad41a43f47/README.md

Davidson-Souza
Davidson-Souza previously approved these changes Jan 10, 2026
View reviewed changes
Copy link
Member

@Davidson-Souza Davidson-Souza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 767a932

@Davidson-Souza
Copy link
Member

Davidson-Souza commented Jan 10, 2026

Since the document was simplified, please update your PR description with the new approach

JoseSK999
JoseSK999 approved these changes Jan 10, 2026
View reviewed changes
Copy link
Member

@JoseSK999 JoseSK999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 767a932

@JoseSK999
Copy link
Member

JoseSK999 commented Jan 10, 2026

We would need to update the security mail at README.md/Community, CONTRIBUTING.md/Security and install.sh

@Davidson-Souza
Copy link
Member

Davidson-Souza commented Jan 10, 2026

We would need to update the security mail at README.md/Community, CONTRIBUTING.md/Security and install.sh

README.md/Community was changed by #764. But CONTRIBUTING needs to be changed as well. Should do that in another PR

luisschwab

This comment was marked as outdated.

Sign in to view

@moisesPompilio
Copy link
Collaborator

moisesPompilio commented Jan 10, 2026

The SECURITY. md text is good, however you just need to make a change to the project's README.md because it talks about how to report a vulnerability in the community section. The current part needs to redirect to this file here, to indicate that if someone finds a vulnerability they should read the SECURITY.md to know how to report it, so the email and public key part of the person to report to stays in one place.

@Davidson-Souza
Copy link
Member

Davidson-Souza commented Jan 10, 2026

@moisesPompilio

The SECURITY. md text is good, however you just need to make a change to the project's README.md because it talks about how to report a vulnerability in the community section. The current part needs to redirect to this file here, to indicate that if someone finds a vulnerability they should read the SECURITY.md to know how to report it, so the email and public key part of the person to report to stays in one place.

Agreed. But maybe we leave this as-is and push another PR fixing README and CONTRIBUTING?

@jaoleal
Copy link
Collaborator

jaoleal commented Jan 10, 2026

ACK 767a932

@moisesPompilio
Copy link
Collaborator

moisesPompilio commented Jan 10, 2026

Agreed. But maybe we leave this as-is and push another PR fixing README and CONTRIBUTING?

Hmm, I think a fix afterwards would be strange. Better to do it in this PR, because all these changes would be in one commit which would make it easier to identify through the commit history why the lines were changed.

@Edu92337
Copy link
Contributor Author

Edu92337 commented Jan 10, 2026

Updated README.md to redirect to SECURITY.md. Now all vulnerability reporting details (email and PGP key) are in a single place as requested.

@Davidson-Souza
Copy link
Member

Davidson-Souza commented Jan 10, 2026

@Edu92337 could you also add this to CONTRIBUTING.md?

@Edu92337
docs: add SECURITY.md
b2a661e 
Add minimal security policy following Bitcoin Core style with:
- Vulnerability reporting contact
- PGP key fingerprint for secure communication

Closes getfloresta#763
Davidson-Souza
Davidson-Souza approved these changes Jan 10, 2026
View reviewed changes
Copy link
Member

@Davidson-Souza Davidson-Souza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re-ACK b2a661e

luisschwab
luisschwab approved these changes Jan 10, 2026
View reviewed changes
Copy link
Member

@luisschwab luisschwab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK b2a661e

@moisesPompilio
Copy link
Collaborator

moisesPompilio commented Jan 10, 2026

ACK b2a661e

1 similar comment
@jaoleal
Copy link
Collaborator

jaoleal commented Jan 10, 2026

ACK b2a661e

@Davidson-Souza Davidson-Souza merged commit f9e0ebd into getfloresta:master Jan 10, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Davidson-Souza Davidson-Souza Davidson-Souza approved these changes

@moisesPompilio moisesPompilio Awaiting requested review from moisesPompilio

@qlrd qlrd Awaiting requested review from qlrd

+2 more reviewers

@JoseSK999 JoseSK999 JoseSK999 approved these changes

@luisschwab luisschwab luisschwab approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing SECURITY.md

7 participants

@Edu92337 @moisesPompilio @qlrd @luisschwab @Davidson-Souza @JoseSK999 @jaoleal