From 9244a93169fad7c32de92a9001c40988b1739fc0 Mon Sep 17 00:00:00 2001 From: Krivoblotsky Date: Wed, 29 Apr 2026 16:54:49 +0300 Subject: [PATCH 1/2] docs(security): direct vulnerability reports to private channel only The previous SECURITY.md had a "Reporting a Bug" section telling people to file security bugs as public GitHub issues, directly contradicting the private email path in the section below it. Anyone following the first instruction would publicly disclose a vulnerability before a fix existed. Restructure the policy so the private channel is the primary, prominent path with an explicit "do not report publicly" warning. Keep support@macpaw.com as the canonical contact, mention GitHub's private vulnerability reporting as a conditional option, and demote non-security bugs to their own section. Co-Authored-By: Claude Opus 4.7 --- SECURITY.md | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 6340c409..f2c1476b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,11 +7,27 @@ | 0.x.x | :white_check_mark: | | 1.x.x | :white_check_mark: | -## Reporting a Bug +## Reporting a Vulnerability -Report security bugs by creating [issues](https://github.com/MacPaw/OpenAI/issues). +**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** -## Reporting a Vulnerability +Report (suspected) security vulnerabilities privately to +**[support@macpaw.com](mailto:support@macpaw.com)**. + +If [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) +is enabled on the repository, you can also use GitHub's +["Report a vulnerability"](https://github.com/MacPaw/OpenAI/security/advisories/new) form. + +Please include: + +- A description of the issue and its potential impact. +- Steps to reproduce, a proof-of-concept, or affected code paths. +- The version(s) of the library you tested against. + +We will acknowledge your report, investigate, and coordinate a fix and +disclosure timeline with you. + +## Reporting Non-Security Bugs -Please report (suspected) security vulnerabilities to -**[support@macpaw.com](mailto:support@macpaw.com)**. +For non-security bugs, please open a regular +[GitHub issue](https://github.com/MacPaw/OpenAI/issues). From 88534fce94cf0f2ddff68a44d5baf4500fc0f49e Mon Sep 17 00:00:00 2001 From: Oleksii Date: Wed, 29 Apr 2026 18:54:21 +0300 Subject: [PATCH 2/2] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- SECURITY.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index f2c1476b..5e4baab1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,8 +15,9 @@ Report (suspected) security vulnerabilities privately to **[support@macpaw.com](mailto:support@macpaw.com)**. If [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) -is enabled on the repository, you can also use GitHub's -["Report a vulnerability"](https://github.com/MacPaw/OpenAI/security/advisories/new) form. +is enabled on the repository, you can also use the +["Security"](https://github.com/MacPaw/OpenAI/security) tab and click +the **Report a vulnerability** button. Please include: