security: publish community vulnerability disclosure and triage policy #285
Description
Parent epic: #262
Define the pre-launch security disclosure and triage workflow for a no-budget, community-review launch model.
Why
Catalyst plans to launch without paid external audit/pen-test services. We need a clear, operator-facing and contributor-facing process for responsible disclosure and deterministic remediation handling.
Deliverables
- Security contact channel and intake path (private reporting preferred)
- Report template (impact, reproduction, versions, environment)
- Severity mapping (Critical/High/Medium/Low)
- Triage policy (owners, escalation, acceptance criteria)
- Response SLA targets (first response + update cadence)
- Coordinated disclosure guidance and acknowledgement policy
- Linkage to remediation evidence expectations in security: define security review scope and remediation checklist #273 and security: implement adversarial test plan (DoS/eclipse/sybil/partition) with evidence #272
Definition of done
- Policy documented in
docs/and linked fromdocs/README.md - Workflow references existing mainnet security gates (
#272,#273,#280) - Tracker issue mainnet: launch readiness program tracker #260 updated to include this requirement in launch criteria