udlose · udlose · Jan 24, 2026 · Jan 24, 2026 · Jan 24, 2026
@@ -31,8 +31,12 @@ jobs:
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
       # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
+      # Recommended reads for private repos to avoid GraphQL/SAST gaps
+      contents: read
+      issues: read
+      pull-requests: read
+      checks: read
+      actions: read
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
@@ -54,7 +58,8 @@ jobs:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          # Since we use Classic GitHub Branch Protection Rules, we need to use a fine-grained PAT.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers

@@ -3,14 +3,18 @@
 [![Release](https://img.shields.io/github/v/release/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/releases/latest)
 [![Build and Release](https://github.com/udlose/MermaidPad/actions/workflows/build-and-release.yml/badge.svg)](https://github.com/udlose/MermaidPad/actions/workflows/build-and-release.yml)
 [![CodeQL](https://github.com/udlose/MermaidPad/actions/workflows/codeql-main.yml/badge.svg)](https://github.com/udlose/MermaidPad/actions/workflows/codeql-main.yml)
-[![OSSF Scorecard supply-chain security](https://github.com/udlose/MermaidPad/actions/workflows/scorecard.yml/badge.svg)](https://github.com/udlose/MermaidPad/actions/workflows/scorecard.yml)[![Contributors](https://img.shields.io/github/contributors/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/graphs/contributors)
+[![OSSF Scorecard supply-chain security](https://github.com/udlose/MermaidPad/actions/workflows/scorecard.yml/badge.svg)](https://github.com/udlose/MermaidPad/actions/workflows/scorecard.yml)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/udlose/MermaidPad/badge)](https://scorecard.dev/viewer/?uri=github.com/udlose/MermaidPad)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/11823/badge)](https://www.bestpractices.dev/projects/11823)
 [![Stars](https://img.shields.io/github/stars/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/stargazers)
 [![Forks](https://img.shields.io/github/forks/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/network/members)
+[![Contributors](https://img.shields.io/github/contributors/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/graphs/contributors)
 [![Issues](https://img.shields.io/github/issues/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/issues)
 [![Issues Closed](https://img.shields.io/github/issues-closed-raw/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/issues?q=is%3Aissue+is%3Aclosed)
 [![Top Language](https://img.shields.io/github/languages/top/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad)
 [![Last Commit](https://img.shields.io/github/last-commit/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/commits/main)
 [![License](https://img.shields.io/github/license/udlose/MermaidPad?style=flat-square)](https://github.com/udlose/MermaidPad/blob/main/LICENSE.TXT)
+[![wakatime](https://wakatime.com/badge/github/udlose/MermaidPad.svg)](https://wakatime.com/badge/github/udlose/MermaidPad)
 
 ---
 
@@ -1085,6 +1089,14 @@ Also, please review our [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) to understand c
 
 ---
 
+## Security
+
+If you discover a security vulnerability in MermaidPad, please follow our [Security Policy](SECURITY.md) for responsible disclosure. **Do not** open public issues for security vulnerabilities.
+
+For more details, see [SECURITY.md](SECURITY.md).
+
+---
+
 ## License
 
 This project is licensed under the [MIT License](https://github.com/udlose/MermaidPad/blob/main/LICENSE).

@@ -0,0 +1,47 @@
+# Security Policy
+
+## Supported Versions
+
+This project is maintained on a best-effort basis.
+
+- Supported: The latest release and the `main` branch.
+- Unsupported: Older releases may not receive security fixes.
+
+If you are unsure whether your version is supported, please report the issue anyway.
+
+## Reporting a Vulnerability
+
+Please **do not** open a public GitHub issue for security vulnerabilities.
+
+Instead, use GitHub **Private Vulnerability Reporting**:
+
+1. Go to this repository’s **Security** tab.
+2. Select **Advisories**.
+3. Click **Report a vulnerability** and fill out the form.
+
+You will typically receive an initial response within **7 days**.
+
+## What to Include
+
+To help triage quickly, please include:
+
+- Affected version(s) and OS (Windows/macOS/Linux).
+- Steps to reproduce and/or proof-of-concept code.
+- Impact assessment (what an attacker can do).
+- Any suggested fix or mitigation (if you have one).
+
+## Disclosure Policy
+
+This project follows responsible disclosure:
+
+- Please allow reasonable time to investigate and patch before public disclosure.
+- If the issue is confirmed, a fix will be developed and released as soon as practical.
+- Once a fix is available, a public advisory/release notes entry may be published describing the issue and mitigation.
+
+## Security Updates
+
+Security fixes will be released as normal GitHub Releases and documented in release notes when possible.
+
+## Non-Security Bugs
+
+For non-security bugs and feature requests, please open a standard GitHub issue.