docs: record private vulnerability reporting verification

CHANGELOG.md

@@ -8,6 +8,7 @@ This project has a published GitHub Release line, but no stable support or API g
 
 ### Added
 
+- Added a private vulnerability reporting verification record and documented that GitHub private vulnerability reporting is enabled after manual UI verification.
 - Added a dedicated CodeQL workflow for Python code scanning without changing the protected CI required check name.
 - Added a read-only security and supply-chain evaluation record for CodeQL, private vulnerability reporting, Dependabot, Scorecard, and GitHub Actions pinning.
 - Added a non-required Python 3.13 compatibility CI job without changing the protected Python 3.12 required check name.

SECURITY.md

@@ -46,9 +46,11 @@ Use fake examples only.
 
 ## Reporting a vulnerability
 
-Private vulnerability reporting has been checked and is currently verified as disabled.
+Private vulnerability reporting is enabled for this repository.
 
-Do not claim private vulnerability reporting is enabled.
+Use GitHub private vulnerability reporting for sensitive vulnerability reports when available.
+
+See `docs/PRIVATE-VULNERABILITY-REPORTING.md` for the verification record and limits of this disclosure channel.
 
 If a sensitive issue cannot be reported privately through GitHub, do not publish secrets, exploit details, private URLs, customer data, or sensitive repository contents. Open only a minimal public issue requesting a private contact path.
 

docs/PRIVATE-VULNERABILITY-REPORTING.md

@@ -0,0 +1,70 @@
+# Private Vulnerability Reporting Verification
+
+Status: enabled, manually verified in GitHub repository settings.
+
+This phase records that private vulnerability reporting was enabled manually in GitHub repository settings.
+
+## Scope
+
+Repository: `CoderDeltaLAN/agent-rules-kit`
+
+Branch: `security/verify-private-vulnerability-reporting-setting`
+
+This document records how private vulnerability reporting was verified before repository documentation claimed that it is enabled.
+
+## Official behavior
+
+GitHub documents that owners and administrators of public repositories can enable private vulnerability reporting for a repository.
+
+GitHub documents the repository-level UI path as:
+
+- repository `Settings`;
+- `Advanced Security`;
+- `Private vulnerability reporting`;
+- `Enable` or `Disable`.
+
+GitHub also documents that, when private vulnerability reporting is enabled, security researchers see a `Report a vulnerability` button on the repository's `Advisories` page.
+
+Notifications for new private vulnerability reports depend on repository watching state, security alert subscriptions, and the maintainer's notification preferences.
+
+## Verification boundary
+
+The GitHub REST repository payload did not expose a clear private vulnerability reporting enabled or disabled field during this verification phase.
+
+The repository security advisories endpoint did not provide a setting-state signal during this verification phase.
+
+Therefore, the reliable verification path for this repository setting is manual GitHub UI verification unless a future GitHub API exposes a clear setting state.
+
+## Current repository decision
+
+Private vulnerability reporting is enabled for this repository.
+
+Manual verification evidence: the repository `Settings` → `Advanced Security` page shows the `Private vulnerability reporting` control with a `Disable` button, which means the setting is currently enabled.
+
+This phase does not enable or configure Dependabot, dependency graph, dependency alerts, security updates, grouped updates, version updates, branch protection, release, PyPI, CodeQL, or action-pinning changes.
+
+## Manual verification checklist
+
+To verify the setting manually:
+
+1. Open the repository on GitHub.
+2. Go to `Settings`.
+3. In the security section, open `Advanced Security`.
+4. Find `Private vulnerability reporting`.
+5. If GitHub shows `Enable`, the feature is currently disabled.
+6. If GitHub shows `Disable`, the feature is currently enabled.
+7. If enabled, open the repository `Advisories` page and verify that `Report a vulnerability` is visible.
+8. Only after that evidence exists, update `SECURITY.md` to say private vulnerability reporting is enabled.
+
+## Documentation rule
+
+Because enabled state has been manually verified in the GitHub UI, repository documentation may state:
+
+- private vulnerability reporting is enabled;
+- security researchers may use GitHub private vulnerability reporting for this repository.
+
+Do not claim that this provides a security guarantee, replaces maintainer review, or proves that the project is free of vulnerabilities.
+
+## Security note
+
+Private vulnerability reporting is a disclosure channel. It is not a security guarantee, not a scanner, not a replacement for maintainer review, and not proof that the project is free of vulnerabilities.