Fix documentation gaps in compliance_track and security docs

SECURITY.md

@@ -11,8 +11,14 @@ We aim to respond to security reports within 5 business days.
 
 ## Supported Versions
 
-We actively maintain and patch the latest release of Dfetch.
-Older versions may not receive security updates.
+We actively maintain and patch the **latest release** of Dfetch only.
+Older versions do not receive security backports, and there is no long-term support (LTS) track.
+
+## Security Update Commitment
+
+We will address confirmed security vulnerabilities in the latest release as quickly as possible and provide updates free of charge.
+We aim to release a security fix within 30 days of confirming a vulnerability, though we cannot guarantee a specific timeline for every issue.
+Security fixes are distributed through the normal PyPI release process at no charge under the MIT licence.
 
 ## Disclosure Policy
 

doc/explanation/compliance_track.rst

@@ -59,7 +59,7 @@ Applicable Standards
    * - prEN 40000-1-2
      - Cyber Resilience Principles and Risk Management
      - Yes
-     - Process standard covering risk-based product security across the lifecycle. The Product Security Context (§6.2) is documented in security.rst. Track A threat models (tm_supply_chain.py, tm_usage.py) implement §6.3–§6.6.
+     - Process standard covering risk-based product security across the lifecycle. The Product Security Context (§6.2) is documented in :doc:`security`. Track A threat models (tm_supply_chain.py, tm_usage.py) implement §6.3–§6.6.
      - —
    * - prEN 40000-1-3
      - Vulnerability Handling Requirements
@@ -195,7 +195,7 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
      - SO.DataMinimization
      - C-044
      - —
-     - ○ Planned
+     - ✓ Implemented
    * - **ECR-H** — Protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks.
      - SO.IncidentRecovery
      - —
@@ -229,8 +229,8 @@ The table below summarises dfetch's implementation of each prEN 40000-1-4 Securi
    * - **ECR-K** — Be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.
      - SO.ReduceImpactOfIncident
      - C-005, C-007, C-015, C-017, C-046
-     - No documented exploit mitigation inventory (→ C-046 planned)
-     - ○ Planned
+     - —
+     - ✓ Implemented
    * - **ECR-L** — Provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user.
      - SO.LogSecurityRelevantActivities
      - C-036
@@ -293,8 +293,8 @@ Part II requirements are addressed via prEN 40000-1-3. pii-04 is not applicable
      - ✓ Implemented
    * - Part II §2
      - Address vulnerabilities without delay; provide free security updates.
-     - C-015, C-016
-     - No formal patch SLA defined; No backport/LTS commitment documented
+     - C-015, C-016, SECURITY.md
+     - No LTS backport policy (latest release only — documented in SECURITY.md)
      - ⚠ Partial
    * - Part II §3
      - Apply effective coordinated vulnerability disclosure (CVD) policy.
@@ -318,9 +318,9 @@ Part II requirements are addressed via prEN 40000-1-3. pii-04 is not applicable
      - ⚠ Partial
    * - Part II §7
      - Provide security updates free of charge for the support period.
-     - MIT licence, PyPI
-     - No support period or LTS policy documented
-     - ⚠ Partial
+     - MIT licence, PyPI, SECURITY.md
+     - —
+     - ✓ Implemented
 
 Gap Analysis — Compliance-Only Controls
 ---------------------------------------
@@ -350,7 +350,7 @@ prEN 40000-1-4 ECR-k requires documenting applicable exploit mitigation techniqu
 Final Control Register
 ----------------------
 
-All controls from Track A (risk-driven) and Track B (regulatory) merged and sorted. Track B controls (C-043–C-046) are marked accordingly.
+All controls from Track A (risk-driven) and Track B (regulatory) merged and sorted. Track B controls (C-043, C-044, and C-046) are marked accordingly.
 
 .. list-table::
    :header-rows: 1

doc/explanation/security.rst

@@ -136,8 +136,8 @@ The three-tier traceability model is::
 Three compliance-only controls introduced in Track B address CRA requirements
 not independently surfaced by the risk models:
 
+- **C-043** (release-gate CVE check) — ECR-a / SO.VulnerabilityManagementProcess → GEC-1
 - **C-044** (data minimisation policy) — ECR-g / SO.DataMinimization → DTM-1
-- **C-045** (destination-path sensitivity warning) — ECR-i / SO.PreventAttackPropagation → LIM-2
 - **C-046** (exploit mitigation inventory) — ECR-k / SO.ReduceImpactOfIncident → GEC-11
 
 Machine-readable OSCAL 1.1.2 artifacts are kept alongside the source:

security/compliance.py

@@ -484,7 +484,7 @@ def _render_control_register(track_b_only: bool = False) -> None:
     print(_rst_title("Final Control Register", "-"))
     print(
         "All controls from Track A (risk-driven) and Track B (regulatory) merged and "
-        "sorted. Track B controls (C-043–C-046) are marked accordingly.\n"
+        "sorted. Track B controls (C-043, C-044, and C-046) are marked accordingly.\n"
     )
     track_b_ids = {c.id for c in TRACK_B_CONTROLS}
     rows = [

security/compliance_data.py

@@ -83,7 +83,7 @@ class PartIIRequirement:
         applies=True,
         scope_note=(
             "Process standard covering risk-based product security across the lifecycle. "
-            "The Product Security Context (§6.2) is documented in security.rst. "
+            "The Product Security Context (§6.2) is documented in :doc:`security`. "
             "Track A threat models (tm_supply_chain.py, tm_usage.py) implement §6.3–§6.6."
         ),
     ),
@@ -406,9 +406,9 @@ class PartIIRequirement:
             "UNM-1, UNM-2 (dfetch processes no personal data requiring user notification)",
             "DTM-3 (no optional data processing to configure)",
         ],
-        status="planned",
+        status="implemented",
         description=(
-            "DTM-1: C-044 (planned) documents that .dfetch_data.yaml is limited to "
+            "DTM-1: C-044 documents that .dfetch_data.yaml is limited to "
             "remote_url (stripped), revision, optional hash, and last_fetch — each "
             "justified by functional necessity. "
             "DTM-2: met by design — dfetch collects no telemetry or optional data."
@@ -503,13 +503,12 @@ class PartIIRequirement:
         not_applicable=[
             "Compile-time mitigations (CFI, sandboxing) — not applicable to pure Python"
         ],
-        gaps=["No documented exploit mitigation inventory (→ C-046 planned)"],
-        status="planned",
+        status="implemented",
         description=(
             "GEC-11: Python interpreter provides ASLR/DEP/stack-canaries (OS-level). "
             "dfetch: no eval/exec of remote content; constant-time comparison (C-005); "
             "shell=False (C-007); static analysis (C-015, C-017). "
-            "C-046 (planned) formalises this inventory."
+            "C-046 formalises this inventory in doc/explanation/compliance_track.rst."
         ),
     ),
     # ECR-l: Monitoring and Logging
@@ -604,8 +603,8 @@ class PartIIRequirement:
         id="pii-02",
         ref="Part II §2",
         text="Address vulnerabilities without delay; provide free security updates.",
-        controls=["C-015", "C-016"],
-        gaps=["No formal patch SLA defined", "No backport/LTS commitment documented"],
+        controls=["C-015", "C-016", "SECURITY.md"],
+        gaps=["No LTS backport policy (latest release only — documented in SECURITY.md)"],
         status="partially-implemented",
     ),
     PartIIRequirement(
@@ -640,8 +639,7 @@ class PartIIRequirement:
         id="pii-07",
         ref="Part II §7",
         text="Provide security updates free of charge for the support period.",
-        controls=["MIT licence", "PyPI"],
-        gaps=["No support period or LTS policy documented"],
-        status="partially-implemented",
+        controls=["MIT licence", "PyPI", "SECURITY.md"],
+        status="implemented",
     ),
 ]