From 25e63afa475d6e3cbc0b703431492a7fb5015977 Mon Sep 17 00:00:00 2001 From: CoderDeltaLAN Date: Fri, 19 Jun 2026 07:55:04 +0100 Subject: [PATCH 1/2] docs: record private vulnerability reporting verification --- CHANGELOG.md | 1 + SECURITY.md | 6 ++- docs/PRIVATE-VULNERABILITY-REPORTING.md | 70 +++++++++++++++++++++++++ 3 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 docs/PRIVATE-VULNERABILITY-REPORTING.md diff --git a/CHANGELOG.md b/CHANGELOG.md index d41b0b1..b7600b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ This project has a published GitHub Release line, but no stable support or API g ### Added +- Added a private vulnerability reporting verification record and clarified that enablement must be verified through the GitHub UI before changing `SECURITY.md`. - Added a dedicated CodeQL workflow for Python code scanning without changing the protected CI required check name. - Added a read-only security and supply-chain evaluation record for CodeQL, private vulnerability reporting, Dependabot, Scorecard, and GitHub Actions pinning. - Added a non-required Python 3.13 compatibility CI job without changing the protected Python 3.12 required check name. diff --git a/SECURITY.md b/SECURITY.md index 6848909..f455ce2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -46,9 +46,11 @@ Use fake examples only. ## Reporting a vulnerability -Private vulnerability reporting has been checked and is currently verified as disabled. +Private vulnerability reporting is currently documented as disabled. -Do not claim private vulnerability reporting is enabled. +See `docs/PRIVATE-VULNERABILITY-REPORTING.md` for the verification boundary and the manual GitHub UI check required before changing this statement. + +Do not claim private vulnerability reporting is enabled unless the GitHub UI explicitly verifies it as enabled. If a sensitive issue cannot be reported privately through GitHub, do not publish secrets, exploit details, private URLs, customer data, or sensitive repository contents. Open only a minimal public issue requesting a private contact path. diff --git a/docs/PRIVATE-VULNERABILITY-REPORTING.md b/docs/PRIVATE-VULNERABILITY-REPORTING.md new file mode 100644 index 0000000..42d47f4 --- /dev/null +++ b/docs/PRIVATE-VULNERABILITY-REPORTING.md @@ -0,0 +1,70 @@ +# Private Vulnerability Reporting Verification + +Status: verification record only. + +This phase does not enable, disable, or otherwise change GitHub repository settings. + +## Scope + +Repository: `CoderDeltaLAN/agent-rules-kit` + +Branch: `security/verify-private-vulnerability-reporting-setting` + +This document records how private vulnerability reporting must be verified before repository documentation can claim that it is enabled. + +## Official behavior + +GitHub documents that owners and administrators of public repositories can enable private vulnerability reporting for a repository. + +GitHub documents the repository-level UI path as: + +- repository `Settings`; +- `Advanced Security`; +- `Private vulnerability reporting`; +- `Enable` or `Disable`. + +GitHub also documents that, when private vulnerability reporting is enabled, security researchers see a `Report a vulnerability` button on the repository's `Advisories` page. + +Notifications for new private vulnerability reports depend on repository watching state, security alert subscriptions, and the maintainer's notification preferences. + +## Verification boundary + +The GitHub REST repository payload did not expose a clear private vulnerability reporting enabled or disabled field during this verification phase. + +The repository security advisories endpoint did not provide a setting-state signal during this verification phase. + +Therefore, the reliable verification path for this repository setting is manual GitHub UI verification unless a future GitHub API exposes a clear setting state. + +## Current repository decision + +Do not claim that private vulnerability reporting is enabled unless the maintainer verifies the GitHub UI state after enabling it. + +The repository may continue to document private vulnerability reporting as disabled unless the GitHub UI shows it as enabled. + +If the maintainer decides to enable private vulnerability reporting, use a separate settings-only phase or a clearly scoped continuation of this phase. Do not combine it with Dependabot, CodeQL, branch protection, release, PyPI, or action-pinning changes. + +## Manual verification checklist + +To verify the setting manually: + +1. Open the repository on GitHub. +2. Go to `Settings`. +3. In the security section, open `Advanced Security`. +4. Find `Private vulnerability reporting`. +5. If GitHub shows `Enable`, the feature is currently disabled. +6. If GitHub shows `Disable`, the feature is currently enabled. +7. If enabled, open the repository `Advisories` page and verify that `Report a vulnerability` is visible. +8. Only after that evidence exists, update `SECURITY.md` to say private vulnerability reporting is enabled. + +## Documentation rule + +Until enabled state is explicitly verified, use conservative wording: + +- allowed: private vulnerability reporting is not currently claimed as enabled; +- allowed: verify the GitHub UI before changing this statement; +- prohibited: private vulnerability reporting is enabled; +- prohibited: security researchers can privately report through GitHub for this repository. + +## Security note + +Private vulnerability reporting is a disclosure channel. It is not a security guarantee, not a scanner, not a replacement for maintainer review, and not proof that the project is free of vulnerabilities. From a47b7fecca93b97b7ad8e85464cbd815a6776472 Mon Sep 17 00:00:00 2001 From: CoderDeltaLAN Date: Fri, 19 Jun 2026 08:19:58 +0100 Subject: [PATCH 2/2] docs: document private vulnerability reporting enabled --- CHANGELOG.md | 2 +- SECURITY.md | 6 +++--- docs/PRIVATE-VULNERABILITY-REPORTING.md | 22 +++++++++++----------- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7600b7..036b294 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ This project has a published GitHub Release line, but no stable support or API g ### Added -- Added a private vulnerability reporting verification record and clarified that enablement must be verified through the GitHub UI before changing `SECURITY.md`. +- Added a private vulnerability reporting verification record and documented that GitHub private vulnerability reporting is enabled after manual UI verification. - Added a dedicated CodeQL workflow for Python code scanning without changing the protected CI required check name. - Added a read-only security and supply-chain evaluation record for CodeQL, private vulnerability reporting, Dependabot, Scorecard, and GitHub Actions pinning. - Added a non-required Python 3.13 compatibility CI job without changing the protected Python 3.12 required check name. diff --git a/SECURITY.md b/SECURITY.md index f455ce2..61bb1e7 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -46,11 +46,11 @@ Use fake examples only. ## Reporting a vulnerability -Private vulnerability reporting is currently documented as disabled. +Private vulnerability reporting is enabled for this repository. -See `docs/PRIVATE-VULNERABILITY-REPORTING.md` for the verification boundary and the manual GitHub UI check required before changing this statement. +Use GitHub private vulnerability reporting for sensitive vulnerability reports when available. -Do not claim private vulnerability reporting is enabled unless the GitHub UI explicitly verifies it as enabled. +See `docs/PRIVATE-VULNERABILITY-REPORTING.md` for the verification record and limits of this disclosure channel. If a sensitive issue cannot be reported privately through GitHub, do not publish secrets, exploit details, private URLs, customer data, or sensitive repository contents. Open only a minimal public issue requesting a private contact path. diff --git a/docs/PRIVATE-VULNERABILITY-REPORTING.md b/docs/PRIVATE-VULNERABILITY-REPORTING.md index 42d47f4..00f4339 100644 --- a/docs/PRIVATE-VULNERABILITY-REPORTING.md +++ b/docs/PRIVATE-VULNERABILITY-REPORTING.md @@ -1,8 +1,8 @@ # Private Vulnerability Reporting Verification -Status: verification record only. +Status: enabled, manually verified in GitHub repository settings. -This phase does not enable, disable, or otherwise change GitHub repository settings. +This phase records that private vulnerability reporting was enabled manually in GitHub repository settings. ## Scope @@ -10,7 +10,7 @@ Repository: `CoderDeltaLAN/agent-rules-kit` Branch: `security/verify-private-vulnerability-reporting-setting` -This document records how private vulnerability reporting must be verified before repository documentation can claim that it is enabled. +This document records how private vulnerability reporting was verified before repository documentation claimed that it is enabled. ## Official behavior @@ -37,11 +37,11 @@ Therefore, the reliable verification path for this repository setting is manual ## Current repository decision -Do not claim that private vulnerability reporting is enabled unless the maintainer verifies the GitHub UI state after enabling it. +Private vulnerability reporting is enabled for this repository. -The repository may continue to document private vulnerability reporting as disabled unless the GitHub UI shows it as enabled. +Manual verification evidence: the repository `Settings` → `Advanced Security` page shows the `Private vulnerability reporting` control with a `Disable` button, which means the setting is currently enabled. -If the maintainer decides to enable private vulnerability reporting, use a separate settings-only phase or a clearly scoped continuation of this phase. Do not combine it with Dependabot, CodeQL, branch protection, release, PyPI, or action-pinning changes. +This phase does not enable or configure Dependabot, dependency graph, dependency alerts, security updates, grouped updates, version updates, branch protection, release, PyPI, CodeQL, or action-pinning changes. ## Manual verification checklist @@ -58,12 +58,12 @@ To verify the setting manually: ## Documentation rule -Until enabled state is explicitly verified, use conservative wording: +Because enabled state has been manually verified in the GitHub UI, repository documentation may state: -- allowed: private vulnerability reporting is not currently claimed as enabled; -- allowed: verify the GitHub UI before changing this statement; -- prohibited: private vulnerability reporting is enabled; -- prohibited: security researchers can privately report through GitHub for this repository. +- private vulnerability reporting is enabled; +- security researchers may use GitHub private vulnerability reporting for this repository. + +Do not claim that this provides a security guarantee, replaces maintainer review, or proves that the project is free of vulnerabilities. ## Security note