Revise security vulnerability reporting instructions

[Dredsen]

Updated the vulnerability reporting process to emphasize private reporting and added a structured format for better submissions.

Also added AI disclosure for reports.

This just a improved catch-all hope you don't mind.

Summary by CodeRabbit

• Documentation
  • Updated security vulnerability reporting guidelines with detailed submission procedures, structured triage templates, and expectations for acknowledgement, credit, and 90-day coordinated disclosure timeline.

[coderabbitai]

📝 Walkthrough

Walkthrough

SECURITY.md undergoes a complete rewrite: the brief security-contact statement becomes a structured vulnerability reporting policy with explicit private reporting channels (GitHub Security tab or email), a required submission template (summary, reproduction steps, expected/actual behavior, optional fix), and post-submission expectations (acknowledgement, credit, CVE assignment, and 90-day coordinated disclosure).

Changes

Vulnerability Reporting Policy

Layer / File(s)	Summary
Reporting channels and submission template SECURITY.md	Explicit instructions prohibit public GitHub issues and direct reporters to private channels (Security tab, GitHub private reporting link, or email). A structured template specifies required sections: summary, steps to reproduce/proof-of-concept, expected vs. actual behavior, and an optional suggested fix with testing notes.
Acknowledgement and disclosure expectations SECURITY.md	A "What to Expect" section commits to timely acknowledgement and updates, offers public credit and CVE assignment where applicable, and establishes a 90-day coordinated disclosure window with mutual agreement on publication timing before public disclosure.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🐰 A hutch of rules now guards the warren's door,
Vulnerabilities told in private lore,
Ninety days to patch before the world can see,
Credit given kindly for researchers' discovery! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Revise security vulnerability reporting instructions' directly and accurately describes the main change—updating SECURITY.md with a comprehensive vulnerability reporting policy.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

SECURITY.md (2)

11-11: ⚡ Quick win

Add a direct private-report submission URL for this repository.

Line 11 currently points to general docs only. Adding the repo’s direct advisory submission link reduces friction and improves report quality/completion rate.

Proposed wording

-Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) via the **Security** tab of this repository.
+Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://github.com/tinyauthapp/tinyauth/security/advisories/new) (or via the **Security** tab of this repository).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` at line 11, Update SECURITY.md to replace or augment the generic
GitHub docs link text ("GitHub's Private Vulnerability Reporting") with the
repository-specific private vulnerability disclosure URL (the repository's
direct "Report a vulnerability" advisory submission link), e.g., add the
repo-specific advisory submission link alongside or instead of the general docs
so reporters can click straight through from the Security tab; ensure the
visible anchor text still references "Security tab" and that the new URL is the
repository's direct private-report submission endpoint.

---

9-9: ⚡ Quick win

Use maintainer-neutral wording instead of first-person capacity framing.

Line 9’s “as I won't be able to patch them in time” can read as an availability constraint rather than a policy rule. Consider neutral wording focused on risk reduction and coordinated handling.

Proposed wording

-Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests as I won't be able to patch them in time and they may get exploited by malicious actors.
+Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests, as this can expose users before a fix is available.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` at line 9, Replace the first-person phrasing in SECURITY.md that
reads "as I won't be able to patch them in time" with maintainer-neutral
language focused on risk and coordinated disclosure; e.g., change the sentence
"Please do not report security vulnerabilities through public GitHub issues,
discussions, or pull requests as I won't be able to patch them in time and they
may get exploited by malicious actors." to a neutral variant that explains the
risk and the need for coordinated handling (for example: "Please do not report
security vulnerabilities through public GitHub issues, discussions, or pull
requests, as public disclosure can enable exploitation and prevents coordinated,
timely remediation. Report vulnerabilities through the project's designated
private channel instead."). Ensure you update the phrasing in SECURITY.md and
keep the guidance about avoiding public reports and how to report privately.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@SECURITY.md`:
- Line 11: Update SECURITY.md to replace or augment the generic GitHub docs link
text ("GitHub's Private Vulnerability Reporting") with the repository-specific
private vulnerability disclosure URL (the repository's direct "Report a
vulnerability" advisory submission link), e.g., add the repo-specific advisory
submission link alongside or instead of the general docs so reporters can click
straight through from the Security tab; ensure the visible anchor text still
references "Security tab" and that the new URL is the repository's direct
private-report submission endpoint.
- Line 9: Replace the first-person phrasing in SECURITY.md that reads "as I
won't be able to patch them in time" with maintainer-neutral language focused on
risk and coordinated disclosure; e.g., change the sentence "Please do not report
security vulnerabilities through public GitHub issues, discussions, or pull
requests as I won't be able to patch them in time and they may get exploited by
malicious actors." to a neutral variant that explains the risk and the need for
coordinated handling (for example: "Please do not report security
vulnerabilities through public GitHub issues, discussions, or pull requests, as
public disclosure can enable exploitation and prevents coordinated, timely
remediation. Report vulnerabilities through the project's designated private
channel instead."). Ensure you update the phrasing in SECURITY.md and keep the
guidance about avoiding public reports and how to report privately.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: cb97c202-4136-4ce4-bd13-5c2fd33fed3b

📥 Commits

Reviewing files that changed from the base of the PR and between a9eac7e and bca454f.

📒 Files selected for processing (1)

• SECURITY.md