diff --git a/CHANGELOG.md b/CHANGELOG.md index d41b0b1..036b294 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ This project has a published GitHub Release line, but no stable support or API g ### Added +- Added a private vulnerability reporting verification record and documented that GitHub private vulnerability reporting is enabled after manual UI verification. - Added a dedicated CodeQL workflow for Python code scanning without changing the protected CI required check name. - Added a read-only security and supply-chain evaluation record for CodeQL, private vulnerability reporting, Dependabot, Scorecard, and GitHub Actions pinning. - Added a non-required Python 3.13 compatibility CI job without changing the protected Python 3.12 required check name. diff --git a/SECURITY.md b/SECURITY.md index 6848909..61bb1e7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -46,9 +46,11 @@ Use fake examples only. ## Reporting a vulnerability -Private vulnerability reporting has been checked and is currently verified as disabled. +Private vulnerability reporting is enabled for this repository. -Do not claim private vulnerability reporting is enabled. +Use GitHub private vulnerability reporting for sensitive vulnerability reports when available. + +See `docs/PRIVATE-VULNERABILITY-REPORTING.md` for the verification record and limits of this disclosure channel. If a sensitive issue cannot be reported privately through GitHub, do not publish secrets, exploit details, private URLs, customer data, or sensitive repository contents. Open only a minimal public issue requesting a private contact path. diff --git a/docs/PRIVATE-VULNERABILITY-REPORTING.md b/docs/PRIVATE-VULNERABILITY-REPORTING.md new file mode 100644 index 0000000..00f4339 --- /dev/null +++ b/docs/PRIVATE-VULNERABILITY-REPORTING.md @@ -0,0 +1,70 @@ +# Private Vulnerability Reporting Verification + +Status: enabled, manually verified in GitHub repository settings. + +This phase records that private vulnerability reporting was enabled manually in GitHub repository settings. + +## Scope + +Repository: `CoderDeltaLAN/agent-rules-kit` + +Branch: `security/verify-private-vulnerability-reporting-setting` + +This document records how private vulnerability reporting was verified before repository documentation claimed that it is enabled. + +## Official behavior + +GitHub documents that owners and administrators of public repositories can enable private vulnerability reporting for a repository. + +GitHub documents the repository-level UI path as: + +- repository `Settings`; +- `Advanced Security`; +- `Private vulnerability reporting`; +- `Enable` or `Disable`. + +GitHub also documents that, when private vulnerability reporting is enabled, security researchers see a `Report a vulnerability` button on the repository's `Advisories` page. + +Notifications for new private vulnerability reports depend on repository watching state, security alert subscriptions, and the maintainer's notification preferences. + +## Verification boundary + +The GitHub REST repository payload did not expose a clear private vulnerability reporting enabled or disabled field during this verification phase. + +The repository security advisories endpoint did not provide a setting-state signal during this verification phase. + +Therefore, the reliable verification path for this repository setting is manual GitHub UI verification unless a future GitHub API exposes a clear setting state. + +## Current repository decision + +Private vulnerability reporting is enabled for this repository. + +Manual verification evidence: the repository `Settings` → `Advanced Security` page shows the `Private vulnerability reporting` control with a `Disable` button, which means the setting is currently enabled. + +This phase does not enable or configure Dependabot, dependency graph, dependency alerts, security updates, grouped updates, version updates, branch protection, release, PyPI, CodeQL, or action-pinning changes. + +## Manual verification checklist + +To verify the setting manually: + +1. Open the repository on GitHub. +2. Go to `Settings`. +3. In the security section, open `Advanced Security`. +4. Find `Private vulnerability reporting`. +5. If GitHub shows `Enable`, the feature is currently disabled. +6. If GitHub shows `Disable`, the feature is currently enabled. +7. If enabled, open the repository `Advisories` page and verify that `Report a vulnerability` is visible. +8. Only after that evidence exists, update `SECURITY.md` to say private vulnerability reporting is enabled. + +## Documentation rule + +Because enabled state has been manually verified in the GitHub UI, repository documentation may state: + +- private vulnerability reporting is enabled; +- security researchers may use GitHub private vulnerability reporting for this repository. + +Do not claim that this provides a security guarantee, replaces maintainer review, or proves that the project is free of vulnerabilities. + +## Security note + +Private vulnerability reporting is a disclosure channel. It is not a security guarantee, not a scanner, not a replacement for maintainer review, and not proof that the project is free of vulnerabilities.