From db0760f8b4e7fe5ca9d1899579f15f71f3e043d8 Mon Sep 17 00:00:00 2001
From: Marceline Cramer <cramermarceline@gmail.com>
Date: Sat, 16 May 2026 16:54:35 -0600
Subject: [PATCH] Migrate security policy notes to their page

---
 site/content/contribute/security.md | 6 +++++-
 site/content/contribute/site.md     | 5 -----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/site/content/contribute/security.md b/site/content/contribute/security.md
index e30e828..22ddbbd 100644
--- a/site/content/contribute/security.md
+++ b/site/content/contribute/security.md
@@ -15,4 +15,8 @@ Unfortunately for everybody, JavaScript is the language of the web. Kerolox does
 
 [^tanstack]: [Tanstack supply chain attack](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
 
-- TODO: describe workarounds
+- TODO: describe npm workarounds
+- TODO: CVE reporting policy
+- TODO: dependency updating strategy
+  - npm-based stuff is under extra scrutiny
+- TODO automatic secret sanitation
diff --git a/site/content/contribute/site.md b/site/content/contribute/site.md
index 42c35ef..fca6dd6 100644
--- a/site/content/contribute/site.md
+++ b/site/content/contribute/site.md
@@ -45,11 +45,6 @@ This runs Zola as an HTTP server of the site's content at `http://localhost:1111
 - TODO: [PWA support](https://abridge.pages.dev/overview-abridge/#pwa) for mobile sandbox
 - TODO: Atkinson Hyperlegible Next
 - TODO: document how to report bugs and get help
-- TODO: document security policy
-  - CVE reporting policy
-  - dependency updating strategy
-    - npm-based stuff is under extra scrutiny
-  - automatic secret sanitation
 - TODO: cookbook for common Kerolox idioms
 - TODO: tag example pages by demonstrated concept
 - TODO: favicon