From 17b5dfced260e6de0e1adc9008c69917c219894b Mon Sep 17 00:00:00 2001
From: Johnny Miller <163300+millerjp@users.noreply.github.com>
Date: Tue, 21 Apr 2026 08:26:58 +0200
Subject: [PATCH] docs: replace security email with GitHub private advisory
 flow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The oss@axonops.com email appeared in four load-bearing
contexts — security reporting, CoC enforcement, CLA legal
inquiries, and the CLA Assistant comment. GitHub's private
vulnerability reporting is the right primary channel for
security reports now that it is enabled on this repo, so
replace the email-led flow in:

  * SECURITY.md — primary channel is now
    https://github.com/axonops/syncmap/security/advisories/new
    (GitHub Security → Report a vulnerability). The advisory
    stays private until the fix ships; reporters attach PoC
    and crash dumps directly rather than mailing them.
  * README.md "Security" section — links to the advisory flow.
  * CONTRIBUTING.md security paragraph — same.
  * cla.yml "please sign" comment — "open a discussion" no
    longer applies (Discussions is off on this repo); pointed
    at issues instead.
  * documentation_test.go — TestGovernance_SecurityPolicyExists
    now asserts the "security/advisories/new" link rather than
    the email address.

Left untouched (email is genuinely the right channel, not
replaceable by a GitHub flow):

  * CODE_OF_CONDUCT.md enforcement contact — CoC reports
    benefit from a non-GitHub channel for anonymous reporters
    and reporters who don't want to interact through the repo.
  * CONTRIBUTING.md CoC-reporting line — same reason.
  * CLA.md corporate-CLA legal inquiry — legal questions from
    employers / organisations land here, email is the standard
    channel.

No code change. Coverage remains 100%. llms-full.txt
regenerated.
---
 .github/workflows/cla.yml |  2 +-
 CONTRIBUTING.md           |  2 +-
 README.md                 |  2 +-
 SECURITY.md               | 10 ++++++++--
 documentation_test.go     |  4 ++--
 llms-full.txt             | 14 ++++++++++----
 6 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index a6aa70a..982c17f 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -57,7 +57,7 @@ jobs:
 
             > I have read the CLA Document and I hereby sign the CLA
 
-            The CLA is a one-time agreement that covers every future contribution you make to any AxonOps open-source project. If you have questions before signing, please open a discussion or email `oss@axonops.com`.
+            The CLA is a one-time agreement that covers every future contribution you make to any AxonOps open-source project. If you have questions before signing, please open an issue on this repository.
           custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA"
           custom-allsigned-prcomment: "All contributors have signed the CLA. ✅"
           signed-commit-message: "chore(cla): $contributorName signed the CLA in #$pullRequestNo"
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 0f4924a..f40c5db 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -94,7 +94,7 @@ Releases happen exclusively through the [release workflow](./.github/workflows/r
 
 ## Reporting security issues
 
-Do **not** open a public issue for a suspected vulnerability. Email `oss@axonops.com`. See [`SECURITY.md`](./SECURITY.md) for the full disclosure process and response timeline.
+Do **not** open a public issue for a suspected vulnerability. Use GitHub's private advisory flow via the [Security tab](https://github.com/axonops/syncmap/security/advisories/new). See [`SECURITY.md`](./SECURITY.md) for the full disclosure process and response timeline.
 
 ## Licence
 
diff --git a/README.md b/README.md
index 38dbea5..a196317 100644
--- a/README.md
+++ b/README.md
@@ -168,7 +168,7 @@ See [`CONTRIBUTING.md`](./CONTRIBUTING.md) for the branching model, commit messa
 
 ## 🔐 Security
 
-Report suspected vulnerabilities privately to **oss@axonops.com**. Do not open a public issue. See [`SECURITY.md`](./SECURITY.md) for the full policy, supported-version table, and threat model.
+Do not open a public issue for a suspected vulnerability. Use GitHub's private advisory flow — [**Report a vulnerability**](https://github.com/axonops/syncmap/security/advisories/new) — which creates a private channel between you and the maintainers. See [`SECURITY.md`](./SECURITY.md) for the full policy, supported-version table, and threat model.
 
 ## 📜 Attribution
 
diff --git a/SECURITY.md b/SECURITY.md
index 6e07f50..6895e93 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -34,7 +34,13 @@ The `syncmap` library follows [Semantic Versioning](https://semver.org/spec/v2.0
 
 **Do not open a public issue for a suspected vulnerability.**
 
-Email **oss@axonops.com** with:
+Use GitHub's private vulnerability reporting:
+
+**[Report a vulnerability](https://github.com/axonops/syncmap/security/advisories/new)**
+
+GitHub creates a private advisory visible only to you and the maintainers. You can attach proof-of-concept code, crash reports, or `go test -race` output directly to the advisory, and the discussion stays private until a fix ships.
+
+When you file, please include:
 
 - A concise description of the issue.
 - Steps to reproduce, including the Go version and OS/architecture.
@@ -46,7 +52,7 @@ We will:
 - Acknowledge receipt within **3 business days**.
 - Share a mitigation plan within **14 business days**.
 - Coordinate an embargoed release with you if a fix requires a new tag.
-- Credit you in the release notes and in this repository's security advisories unless you request otherwise.
+- Credit you in the release notes and on the advisory unless you request otherwise.
 
 ## Dependency security
 
diff --git a/documentation_test.go b/documentation_test.go
index 187c368..66e8095 100644
--- a/documentation_test.go
+++ b/documentation_test.go
@@ -296,8 +296,8 @@ func TestGovernance_SecurityPolicyExists(t *testing.T) {
 	require.NoError(t, err, "SECURITY.md must exist at the repo root")
 
 	s := string(body)
-	assert.Contains(t, s, "oss@axonops.com",
-		"SECURITY.md must carry the AxonOps oss@axonops.com reporting contact")
+	assert.Contains(t, s, "security/advisories/new",
+		"SECURITY.md must link to GitHub's private-advisory reporting flow")
 	assert.Contains(t, s, "Supported versions",
 		"SECURITY.md must document supported versions")
 }
diff --git a/llms-full.txt b/llms-full.txt
index 98ac94b..3203a82 100644
--- a/llms-full.txt
+++ b/llms-full.txt
@@ -313,7 +313,7 @@ See [`CONTRIBUTING.md`](./CONTRIBUTING.md) for the branching model, commit messa
 
 ## 🔐 Security
 
-Report suspected vulnerabilities privately to **oss@axonops.com**. Do not open a public issue. See [`SECURITY.md`](./SECURITY.md) for the full policy, supported-version table, and threat model.
+Do not open a public issue for a suspected vulnerability. Use GitHub's private advisory flow — [**Report a vulnerability**](https://github.com/axonops/syncmap/security/advisories/new) — which creates a private channel between you and the maintainers. See [`SECURITY.md`](./SECURITY.md) for the full policy, supported-version table, and threat model.
 
 ## 📜 Attribution
 
@@ -504,7 +504,7 @@ Releases happen exclusively through the [release workflow](./.github/workflows/r
 
 ## Reporting security issues
 
-Do **not** open a public issue for a suspected vulnerability. Email `oss@axonops.com`. See [`SECURITY.md`](./SECURITY.md) for the full disclosure process and response timeline.
+Do **not** open a public issue for a suspected vulnerability. Use GitHub's private advisory flow via the [Security tab](https://github.com/axonops/syncmap/security/advisories/new). See [`SECURITY.md`](./SECURITY.md) for the full disclosure process and response timeline.
 
 ## Licence
 
@@ -550,7 +550,13 @@ The `syncmap` library follows [Semantic Versioning](https://semver.org/spec/v2.0
 
 **Do not open a public issue for a suspected vulnerability.**
 
-Email **oss@axonops.com** with:
+Use GitHub's private vulnerability reporting:
+
+**[Report a vulnerability](https://github.com/axonops/syncmap/security/advisories/new)**
+
+GitHub creates a private advisory visible only to you and the maintainers. You can attach proof-of-concept code, crash reports, or `go test -race` output directly to the advisory, and the discussion stays private until a fix ships.
+
+When you file, please include:
 
 - A concise description of the issue.
 - Steps to reproduce, including the Go version and OS/architecture.
@@ -562,7 +568,7 @@ We will:
 - Acknowledge receipt within **3 business days**.
 - Share a mitigation plan within **14 business days**.
 - Coordinate an embargoed release with you if a fix requires a new tag.
-- Credit you in the release notes and in this repository's security advisories unless you request otherwise.
+- Credit you in the release notes and on the advisory unless you request otherwise.
 
 ## Dependency security