Skip to content

docs(security): direct vulnerability reports to private channel only#410

Merged
nezhyborets merged 2 commits into
mainfrom
claude/strange-taussig-a81701
Apr 29, 2026
Merged

docs(security): direct vulnerability reports to private channel only#410
nezhyborets merged 2 commits into
mainfrom
claude/strange-taussig-a81701

Conversation

@Krivoblotsky
Copy link
Copy Markdown
Contributor

@Krivoblotsky Krivoblotsky commented Apr 29, 2026

Summary

  • Removes the "Report security bugs by creating issues" line in SECURITY.md, which directly contradicted the private email path below it. Anyone following that instruction would publicly disclose a vulnerability before a fix existed.
  • Restructures the policy so the private channel is the primary, prominent path, with an explicit "do not report publicly" warning.
  • Keeps support@macpaw.com as the canonical contact, and mentions GitHub's private vulnerability reporting as a conditional option (so the doc stays accurate whether or not the feature is enabled on the repo).
  • Adds a short "what to include" list to make triage easier, and demotes non-security bugs to their own section.

No code changes; docs only.

Test plan

  • Render SECURITY.md on GitHub and confirm the warning is prominent and links resolve.
  • Confirm with the security team whether to enable GitHub's private vulnerability reporting, so the conditional sentence becomes unconditional in a follow-up.

🤖 Generated with Claude Code

@Krivoblotsky @claude
docs(security): direct vulnerability reports to private channel only
9244a93 
The previous SECURITY.md had a "Reporting a Bug" section telling people
to file security bugs as public GitHub issues, directly contradicting
the private email path in the section below it. Anyone following the
first instruction would publicly disclose a vulnerability before a fix
existed.

Restructure the policy so the private channel is the primary, prominent
path with an explicit "do not report publicly" warning. Keep
support@macpaw.com as the canonical contact, mention GitHub's private
vulnerability reporting as a conditional option, and demote non-security
bugs to their own section.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Krivoblotsky Krivoblotsky requested a review from Copilot April 29, 2026 14:29
Copilot AI reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository security policy to discourage public disclosure of vulnerabilities and direct reporters to private channels, reducing the risk of unpatched vulnerabilities being shared publicly.

Changes:

  • Replaces the prior “report security bugs via issues” guidance with an explicit “do not report publicly” warning.
  • Makes the private email channel the primary reporting path and optionally references GitHub private vulnerability reporting.
  • Adds a short “what to include” checklist and separates non-security bug reporting into its own section.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread SECURITY.md Outdated
@nezhyborets
Apply suggestion from @Copilot
88534fc 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@nezhyborets nezhyborets merged commit 2324e24 into main Apr 29, 2026
3 checks passed
@nezhyborets nezhyborets deleted the claude/strange-taussig-a81701 branch April 29, 2026 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@nezhyborets nezhyborets nezhyborets approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Krivoblotsky @nezhyborets