Skip to content

Add SECURITY.md with vulnerability disclosure policy#25

Merged
juanmanueldaza merged 1 commit into
juanmanueldaza:mainfrom
MD-Mushfiqur123:docs/add-security-md
Jun 3, 2026
Merged

Add SECURITY.md with vulnerability disclosure policy#25
juanmanueldaza merged 1 commit into
juanmanueldaza:mainfrom
MD-Mushfiqur123:docs/add-security-md

Conversation

@MD-Mushfiqur123

Copy link
Copy Markdown
Contributor

Closes #6

@juanmanueldaza juanmanueldaza left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes Requested — Copy-Paste from linkedin2md

Two issues:

  1. Scope creep: This PR bundles all code changes from PRs #21, #22, #23 alongside the SECURITY.md. Keep only SECURITY.md.

  2. Wrong content: SECURITY.md lists "ZIP bomb or resource exhaustion" as a security concern, but github2md does not process ZIP files. This section was copy-pasted from linkedin2md, which does process LinkedIn data exports (ZIP files). For github2md, the relevant concerns are API rate limiting, gh CLI token exposure, and REST API path injection.

Please remove all code changes and rewrite the "What We Consider Security Issues" section to reflect github2md's actual attack surface, not linkedin2md's.

@juanmanueldaza

Copy link
Copy Markdown
Owner

Hi @MD-Mushfiqur123 — following up on this PR. Two things still needed:

  1. Remove all code changes (keep only SECURITY.md)
  2. Rewrite the security concerns section — github2md doesn't process ZIP files like linkedin2md does. The relevant concerns are API rate limiting, gh CLI token exposure, and REST API path injection.

Let me know if you have questions!

@MD-Mushfiqur123

Copy link
Copy Markdown
Contributor Author

Addressed: Rebased to include ONLY SECURITY.md. All unrelated code changes have been stripped. @juanmanueldaza please re-review.

@juanmanueldaza juanmanueldaza left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

Verdict: Changes Requested — one remaining item from the original review.

What was fixed ✅

  • Scope creep resolved — now contains ONLY SECURITY.md. Clean.

Still needed 🔴

  • Security concerns section is still copy-pasted from linkedin2md. github2md does not process ZIP files, so "ZIP bomb or resource exhaustion vulnerabilities" is irrelevant. The original review asked to rewrite this section for github2md's actual attack surface:
    • GitHub API rate limiting / token exposure (gh CLI tokens, REST API calls)
    • Path traversal in output file paths
    • Markdown injection via user-controlled content
    • Sensitive data in exported content
Lens Score Notes
DRY 10/10 Single file
KISS 10/10 Straightforward policy doc
YAGNI 10/10 Closes #6
OWASP 7/10 Content misaligned with project's actual attack surface

Once the concerns section is rewritten for github2md, good to merge.

Comment thread SECURITY.md
- **Acknowledgment**: We will acknowledge your report within **48 hours**.
- **Updates**: We will provide status updates at least every 7 days until the issue is resolved.
- **Resolution**: We will work to issue a fix as quickly as possible, prioritizing based on severity.

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 "ZIP bomb or resource exhaustion vulnerabilities" — github2md doesn't process ZIP files (that's linkedin2md's domain). Replace with: GitHub API rate limiting / token exposure, and/or REST API path injection.

@juanmanueldaza juanmanueldaza left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR #25 Review: Changes Requested

Good work on the SECURITY.md content itself — it covers the right scope. However, same issue as PR #27: the branch is based on an old commit and carries unintended changes.

Problem: Still based on old commit

This branch (84cb653) is behind current main and includes:

  • Deleting .github/CODEOWNERS — added in PR #24, not related to SECURITY.md.
  • Removing README badges — not related.
  • Changing GA4 measurement ID — unexplained, not related.

What to do

  1. Rebase on current main
  2. Keep only SECURITY.md — the diff should be a single new file. Remove all changes to docs/index.html, .github/CODEOWNERS, and README.md.

Once rebased and scoped cleanly to just the new SECURITY.md file, this is ready to merge. The content itself is solid.

@juanmanueldaza juanmanueldaza left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean SECURITY.md, no scope creep. Well-structured — covers path traversal, injection, ZIP bombs, and has responsible disclosure. LGTM. 🚀

@juanmanueldaza juanmanueldaza merged commit 0d3eee9 into juanmanueldaza:main Jun 3, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add SECURITY.md with vulnerability disclosure policy

2 participants