Skip to content

docs(security): treat a fix or PR as disclosure, require private report first#1785

Merged
lukaszlenart merged 1 commit into
mainfrom
docs/security-disclosure-via-pr
Jul 14, 2026
Merged

docs(security): treat a fix or PR as disclosure, require private report first#1785
lukaszlenart merged 1 commit into
mainfrom
docs/security-disclosure-via-pr

Conversation

@lukaszlenart

Copy link
Copy Markdown
Member

What

Strengthens SECURITY.md so it is explicit that a fix is a disclosure, not only a PoC.

Two changes:

  1. New section — "Do not disclose through a pull request, commit, or issue". Directs reporters to email security@struts.apache.org first and wait for the PMC to triage and agree how the fix is handled, and covers the "found it while working on an unrelated bug/PR" and "when in doubt, report privately" cases.
  2. Extended the PoC bullet in "Report Quality Rules" to state that a fix, patch, or hardening change is a public disclosure in the same way a PoC is, cross-linking the new section.

Why

The existing disclosure rules only forbade publishing exploit/PoC code. A well-meaning contributor who opens a public PR that fixes or hints at a suspected vulnerability honestly reads those rules as satisfied — "I'm not posting a PoC, I'm hardening the code" — while the PR itself telegraphs where the weakness is, with a working roadmap, before a fixed release exists.

This brings SECURITY.md (the human-facing canonical doc) in line with the rule already stated in CLAUDE.md / AGENTS.md: "Never submit a PR that fixes a suspected vulnerability."

Scope

Documentation only. THREAT_MODEL.md intentionally not changed: it delegates the reporting process to SECURITY.md (§1 "Reporting cross-reference", §15 "additive — does not replace SECURITY.md … reporting process"). The disclosure-channel rule is a reporting-process concern, not a scope/property/adversary statement, so it belongs only in SECURITY.md.

🤖 Generated with Claude Code

…rt first

The disclosure rules only forbade publishing exploit/PoC code, so a
contributor who opens a public PR that fixes or hints at a suspected
vulnerability reads them as satisfied — the fix itself telegraphs the
weakness before a fixed release exists.

Add a dedicated "Do not disclose through a pull request, commit, or issue"
section directing reporters to email security@struts.apache.org first, and
extend the PoC rule in Report Quality Rules to state that a fix, patch, or
hardening change is a public disclosure in the same way a PoC is. Aligns
SECURITY.md with the rule already stated in CLAUDE.md/AGENTS.md.

🤖 Generated by AI Assistant
@sonarqubecloud

Copy link
Copy Markdown

@lukaszlenart
lukaszlenart merged commit cf22320 into main Jul 14, 2026
10 checks passed
@lukaszlenart
lukaszlenart deleted the docs/security-disclosure-via-pr branch July 14, 2026 18:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant