chore(security): add SECURITY.md for coordinated vulnerability disclosure

[camgrimsec]

CrewAI currently has no SECURITY.md, which means GitHub does not show the 'Report a vulnerability' shortcut on the repo's Security tab and researchers have no documented private channel. For a 28k-star project that ships into production agent stacks, having a documented disclosure path is table stakes.

This adds a minimal, opinionated SECURITY.md that:

• Points reporters at GitHub's private vulnerability reporting
• Lists what makes a good report (component, version, repro, impact)
• Describes a standard coordinated-disclosure flow via GHSA
• Clarifies what is out of scope (user prompts, upstream LLM provider outages, third-party tools)

Intentionally avoids hard response-time SLAs so maintainers can adjust to capacity. No code paths, no public API, single new file.

Summary by CodeRabbit

• Documentation
  • Added a complete security policy detailing how to report vulnerabilities responsibly, what information to include, and how coordinated disclosure and patched releases are handled.
  • Clarified scope and how security fixes are provided across the most recent and older releases.

[corridor-security]

Summary: This PR adds a SECURITY.md disclosure policy and does not modify runtime code, authentication, authorization, data handling, or exposed endpoints. No exploitable security vulnerabilities were identified.

Risk: Low risk. The change is documentation-only and does not introduce new attack surfaces or alter security boundaries.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 84d093c3-6d4a-49a6-8da0-3973af64b01a

📥 Commits

Reviewing files that changed from the base of the PR and between 7197947 and e4e8920.

📒 Files selected for processing (1)

• SECURITY.md

✅ Files skipped from review due to trivial changes (1)

• SECURITY.md

---

📝 Walkthrough

Walkthrough

A new SECURITY.md file is added to the repository. It defines the vulnerability reporting process (GitHub private advisories only), required report contents, a four-step coordinated disclosure workflow, out-of-scope categories, and supported version policy.

Changes

Security Policy

Layer / File(s)

Summary

Security policy document SECURITY.md

Adds the complete security policy: directs reporters to GitHub private advisories, specifies required report fields (affected components, versions, impact, reproduction/mitigation steps), outlines the coordinated disclosure process (confirmation, private fix, release, advisory publication with credit), lists out-of-scope categories (user prompt issues, upstream provider availability, credential misconfiguration, third-party tool vulnerabilities), and states that security fixes target the latest main release with critical fixes for older releases at maintainer discretion.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore(security): add SECURITY.md for coordinated vulnerability disclosure' accurately and specifically describes the main change: adding a security policy document for vulnerability disclosure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 14-16: The current SECURITY.md file directs users to README-listed
channels as a fallback if GitHub's private reporting is unavailable, but these
channels are not guaranteed to be private, which weakens the security disclosure
promise. Replace the reference to README-listed channels with a dedicated
private contact method (such as a specific email address, contact form, or other
guaranteed private channel). This ensures that anyone reporting a vulnerability
has a reliable private communication path even if GitHub advisories are
inaccessible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 89f5c5cf-8d3d-4e9e-b4dd-f949c1a1e24f

📥 Commits

Reviewing files that changed from the base of the PR and between 4cbfbdb and 7197947.

📒 Files selected for processing (1)

• SECURITY.md

[camgrimsec]

Quick update:

• Addressed @coderabbitai feedback in e4e8920 — removed the README fallback. The doc now explicitly states the README channels (Discord, X, general support) are not guaranteed to be private and should not be used for vulnerability disclosure. Left an inline TODO(maintainers) for a dedicated security alias (e.g. security@crewai.com) so a maintainer can fill it in before merge without another review round-trip.
• Rebased on main to clear the behind-base state.

@joaomdmoura @lucasgomide — ready for human review when one of you has a minute. Happy to adjust the disclosure email / contact pattern if you'd prefer something different from the placeholder.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
cat SECURITY.md

Length of output: 2355

---

---

@camgrimsec Thanks for the follow-up and the clean iteration! The current SECURITY.md looks good:

• ✅ README fallback removed — the explicit callout that Discord/X/general support are not private is clear and well-placed.
• ✅ TODO(maintainers) is in an HTML comment, so it won't render for end users but is visible in the raw file — good approach to flag the gap without blocking the PR.
• ✅ The coordinated-disclosure workflow, out-of-scope items, and supported-versions sections are all in order.

The only outstanding item before merge is for a maintainer to swap the placeholder comment with a real security@crewai.com (or equivalent) alias — that's squarely in @joaomdmoura / @lucasgomide's court. From a policy and structure standpoint, this is ready to go.