Add SECURITY.md with vulnerability disclosure policy#25
Conversation
juanmanueldaza
left a comment
There was a problem hiding this comment.
Changes Requested — Copy-Paste from linkedin2md
Two issues:
-
Scope creep: This PR bundles all code changes from PRs #21, #22, #23 alongside the SECURITY.md. Keep only SECURITY.md.
-
Wrong content: SECURITY.md lists "ZIP bomb or resource exhaustion" as a security concern, but github2md does not process ZIP files. This section was copy-pasted from linkedin2md, which does process LinkedIn data exports (ZIP files). For github2md, the relevant concerns are API rate limiting,
ghCLI token exposure, and REST API path injection.
Please remove all code changes and rewrite the "What We Consider Security Issues" section to reflect github2md's actual attack surface, not linkedin2md's.
|
Hi @MD-Mushfiqur123 — following up on this PR. Two things still needed:
Let me know if you have questions! |
1d5ca5d to
84cb653
Compare
|
Addressed: Rebased to include ONLY |
juanmanueldaza
left a comment
There was a problem hiding this comment.
Review Summary
Verdict: Changes Requested — one remaining item from the original review.
What was fixed ✅
- Scope creep resolved — now contains ONLY
SECURITY.md. Clean.
Still needed 🔴
- Security concerns section is still copy-pasted from linkedin2md.
github2mddoes not process ZIP files, so "ZIP bomb or resource exhaustion vulnerabilities" is irrelevant. The original review asked to rewrite this section for github2md's actual attack surface:- GitHub API rate limiting / token exposure (
ghCLI tokens, REST API calls) - Path traversal in output file paths
- Markdown injection via user-controlled content
- Sensitive data in exported content
- GitHub API rate limiting / token exposure (
| Lens | Score | Notes |
|---|---|---|
| DRY | 10/10 | Single file |
| KISS | 10/10 | Straightforward policy doc |
| YAGNI | 10/10 | Closes #6 |
| OWASP | 7/10 | Content misaligned with project's actual attack surface |
Once the concerns section is rewritten for github2md, good to merge.
| - **Acknowledgment**: We will acknowledge your report within **48 hours**. | ||
| - **Updates**: We will provide status updates at least every 7 days until the issue is resolved. | ||
| - **Resolution**: We will work to issue a fix as quickly as possible, prioritizing based on severity. | ||
|
|
There was a problem hiding this comment.
🔴 "ZIP bomb or resource exhaustion vulnerabilities" — github2md doesn't process ZIP files (that's linkedin2md's domain). Replace with: GitHub API rate limiting / token exposure, and/or REST API path injection.
juanmanueldaza
left a comment
There was a problem hiding this comment.
PR #25 Review: Changes Requested
Good work on the SECURITY.md content itself — it covers the right scope. However, same issue as PR #27: the branch is based on an old commit and carries unintended changes.
Problem: Still based on old commit
This branch (84cb653) is behind current main and includes:
- Deleting
.github/CODEOWNERS— added in PR #24, not related to SECURITY.md. - Removing README badges — not related.
- Changing GA4 measurement ID — unexplained, not related.
What to do
- Rebase on current main
- Keep only
SECURITY.md— the diff should be a single new file. Remove all changes todocs/index.html,.github/CODEOWNERS, andREADME.md.
Once rebased and scoped cleanly to just the new SECURITY.md file, this is ready to merge. The content itself is solid.
juanmanueldaza
left a comment
There was a problem hiding this comment.
Clean SECURITY.md, no scope creep. Well-structured — covers path traversal, injection, ZIP bombs, and has responsible disclosure. LGTM. 🚀
Closes #6