Skip to content

docs: replace security email with GitHub private advisory flow#35

Merged
millerjp merged 1 commit intomainfrom
docs/prefer-github-flows-over-email
Apr 21, 2026
Merged

docs: replace security email with GitHub private advisory flow#35
millerjp merged 1 commit intomainfrom
docs/prefer-github-flows-over-email

Conversation

@millerjp
Copy link
Copy Markdown

@millerjp millerjp commented Apr 21, 2026

Summary

`oss@axonops.com` appeared in four distinct contexts across the docs. Three of them (security reporting, README's security section, CONTRIBUTING's security paragraph) are better served by GitHub's private vulnerability reporting flow, which was enabled on the repo earlier today. The advisory interface gives reporters a private channel without email, and the maintainer response stays visible in the Security tab.

Kept as email (deliberately)

  • Code of Conduct enforcement — CoC reports routinely come from people who want to stay anonymous or who do not want to interact on GitHub. A non-GitHub channel is a feature, not a bug.
  • CONTRIBUTING CoC line — same reason; points at the CoC enforcement contact.
  • CLA.md corporate-CLA legal inquiries — employer / counsel inquiries about CLA scope are legal matters that belong in email.

Diff shape

  • `SECURITY.md` — reporting section rewritten around the advisory URL. Mechanics (3-day ack, 14-day plan, embargo coordination, credit) unchanged.
  • `README.md`, `CONTRIBUTING.md` — one-liner rewrites to link at the advisory URL.
  • `.github/workflows/cla.yml` — "open a discussion or email …" replaced with "open an issue on this repository" since Discussions is off.
  • `documentation_test.go` — `TestGovernance_SecurityPolicyExists` now asserts the `security/advisories/new` URL.
  • `llms-full.txt` regenerated.

Validation

  • `make check` — green, coverage 100%.
  • `TestGovernance_*` — all 10 pass.
  • Residual email audit: only `CODE_OF_CONDUCT.md:39`, `CONTRIBUTING.md:15`, `CLA.md:154`, and the CoC assertion in `documentation_test.go` still reference `oss@axonops.com` — each by design, per the bucketing above.

@millerjp
docs: replace security email with GitHub private advisory flow
17b5dfc 
The oss@axonops.com email appeared in four load-bearing
contexts — security reporting, CoC enforcement, CLA legal
inquiries, and the CLA Assistant comment. GitHub's private
vulnerability reporting is the right primary channel for
security reports now that it is enabled on this repo, so
replace the email-led flow in:

  * SECURITY.md — primary channel is now
    https://github.com/axonops/syncmap/security/advisories/new
    (GitHub Security → Report a vulnerability). The advisory
    stays private until the fix ships; reporters attach PoC
    and crash dumps directly rather than mailing them.
  * README.md "Security" section — links to the advisory flow.
  * CONTRIBUTING.md security paragraph — same.
  * cla.yml "please sign" comment — "open a discussion" no
    longer applies (Discussions is off on this repo); pointed
    at issues instead.
  * documentation_test.go — TestGovernance_SecurityPolicyExists
    now asserts the "security/advisories/new" link rather than
    the email address.

Left untouched (email is genuinely the right channel, not
replaceable by a GitHub flow):

  * CODE_OF_CONDUCT.md enforcement contact — CoC reports
    benefit from a non-GitHub channel for anonymous reporters
    and reporters who don't want to interact through the repo.
  * CONTRIBUTING.md CoC-reporting line — same reason.
  * CLA.md corporate-CLA legal inquiry — legal questions from
    employers / organisations land here, email is the standard
    channel.

No code change. Coverage remains 100%. llms-full.txt
regenerated.
@millerjp millerjp merged commit 10e07c6 into main Apr 21, 2026
@millerjp millerjp deleted the docs/prefer-github-flows-over-email branch April 21, 2026 06:27
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 21, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@millerjp