docs: add security policy

[MegaRedHand]

This PR adds the security policy we have in ethrex to this repo.

[github-actions]

🤖 Kimi Code Review

The security policy document looks good and follows GitHub's recommended practices. No technical issues found.

A few minor suggestions for improvement:

1. Line 17: Consider adding a PGP key for encrypted email communication, as blockchain projects often handle sensitive vulnerability reports.

2. Line 31: "We commit to handling reports with diligence" could be more specific. Consider adding a timeline commitment like "We aim to acknowledge receipt within 48 hours and provide a detailed response within 7 business days."

3. Line 35: Consider adding a note about responsible disclosure timelines (e.g., "We typically request 90 days from patch release before public disclosure").

These are non-blocking suggestions. The policy is well-structured and covers the essential security reporting workflow.

---

Automated review by Kimi (Moonshot AI) · custom prompt

[github-actions]

🤖 Codex Code Review

No code-level findings for consensus/client logic in this PR, because the diff only adds a documentation file: .github/SECURITY.md.

Review result:

• Code correctness / bugs: No executable code changes.
• Security vulnerabilities: No new attack surface introduced in runtime code.
• Performance: No impact.
• Rust best practices, memory safety, error handling: Not applicable (no Rust changes).
• Consensus-layer correctness (fork choice, attestations, finalization, state transition, XMSS, SSZ): Not applicable (no consensus code changes).

Minor doc suggestion:

1. In .github/SECURITY.md:29, “transparently” may over-commit process-wise; consider softer wording like “appropriately” depending on disclosure policy.

---

Automated review by OpenAI Codex · custom prompt

[github-actions]

🤖 Claude Code Review

This PR adds a .github/SECURITY.md security policy — a pure documentation change with no code modifications.

---

PR Review: docs: add security policy (add-security-policy → main)

Summary: Adds a GitHub security policy file copied from the ethrex repository. No code changes.

Content Assessment

The policy is clear and well-structured. A few points worth noting:

• The GitHub Security Advisories flow (step 1–3) correctly directs reporters to the private disclosure mechanism — good practice for a blockchain project.
• The [email protected] fallback email is appropriate for reporters who prefer out-of-band contact.
• The "no public disclosure before fix" guideline is stated clearly.
• The reward section sets honest expectations without over-promising.

Minor Suggestions

• Scope specificity: The policy is generic (copied from ethrex). Consider adding a sentence acknowledging the consensus-critical nature of ethlambda — e.g., noting that issues affecting fork choice, finalization, or signature verification are treated with highest priority. This helps reporters calibrate severity.

• Response SLA: The policy says "we commit to handling reports with diligence" but gives no time bounds. Even a rough SLA (e.g., "initial response within 5 business days") builds reporter confidence. The ethrex origin policy likely omits this intentionally, but it's worth considering for a security-sensitive project.

• No version scope: There's no mention of which versions are supported for security fixes. For an early-stage project this is probably fine to omit, but worth revisiting as the project matures.

Overall

The change is appropriate and the content is correct. Nothing blocking. The suggestions above are purely optional enhancements.

---

Automated review by Claude (Anthropic) · custom prompt

[greptile-apps]

Greptile Summary

Added a comprehensive security policy document that establishes clear guidelines for responsible vulnerability disclosure. The policy provides two reporting methods (GitHub Security Advisories and email to [email protected]), outlines response procedures, and clarifies the absence of a formal bug bounty program.

• Follows security disclosure best practices with responsible disclosure guidelines
• Provides clear, actionable instructions for security researchers
• Professional and well-structured documentation

Confidence Score: 5/5

• This PR is safe to merge with no risk
• This is a documentation-only PR that adds a standard security policy file with no code changes, no logical issues, and follows best practices for security disclosure
• No files require special attention

Important Files Changed

Filename	Overview
.github/SECURITY.md	Added comprehensive security policy with clear reporting instructions and contact information

_{Last reviewed commit: 8270d49}