Skip to content

[feat] docs(security): clarify PSIRT reporting path#1412

Open
13ernkastel wants to merge 3 commits intoNVIDIA:mainfrom
13ernkastel:codex/fix-security-reporting-guidance
Open

[feat] docs(security): clarify PSIRT reporting path#1412
13ernkastel wants to merge 3 commits intoNVIDIA:mainfrom
13ernkastel:codex/fix-security-reporting-guidance

Conversation

@13ernkastel
Copy link
Copy Markdown

@13ernkastel 13ernkastel commented Apr 3, 2026
edited by coderabbitai bot
Loading

Summary

Updates SECURITY.md so it no longer instructs NemoClaw reporters to use a GitHub Report a vulnerability flow that is not currently available on the repository Security page.
The revised guidance tells users to report NemoClaw vulnerabilities directly to NVIDIA PSIRT through the NVIDIA Vulnerability Disclosure Program or psirt@nvidia.com.

Related Issue

None.

Changes

  • Replaced the unconditional GitHub private vulnerability reporting instructions in SECURITY.md
  • Stated that this repository does not currently show Report a vulnerability in the Security tab
  • Directed NemoClaw vulnerability reports to NVIDIA PSIRT through the NVIDIA Vulnerability Disclosure Program or psirt@nvidia.com

Type of Change

  • Code change for a new feature, bug fix, or refactor.
  • Code change with doc updates.
  • Doc only. Prose changes without code sample modifications.
  • Doc only. Includes code sample changes.

Testing

  • npx prek run --all-files passes (or equivalently make check).
  • npm test passes.
  • make docs builds without warnings. (for doc-only changes)
  • npx markdownlint-cli2 SECURITY.md passes.

Checklist

General

Code Changes

  • Formatters applied — npx prek run --all-files auto-fixes formatting (or make format for targeted runs).
  • Tests added or updated for new or changed behavior.
  • No secrets, API keys, or credentials committed.
  • Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

Doc Changes

  • Follows the style guide. Try running the update-docs agent skill to draft changes while complying with the style guide. For example, prompt your agent with "/update-docs catch up the docs for the new changes I made in this PR."
  • New pages include SPDX license header and frontmatter, if creating a new page.
  • Cross-references and links verified.

Signed-off-by: 13ernkastel LennonCMJ@live.com

Summary by CodeRabbit

  • Documentation
    • Updated security vulnerability reporting instructions to direct users to contact NVIDIA PSIRT via the Vulnerability Disclosure Program or email instead of GitHub's private reporting feature.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 3, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2db39673-44ee-40a7-847e-2bd3e2435435

📥 Commits

Reviewing files that changed from the base of the PR and between 494ecde and 251ec3c.

📒 Files selected for processing (1)
  • SECURITY.md
📝 Walkthrough

Walkthrough

Updated SECURITY.md to clarify vulnerability reporting procedures, removing outdated GitHub private vulnerability reporting UI instructions and adding direct contact information for NVIDIA's Vulnerability Disclosure Program and email reporting.

Changes

Cohort / File(s) Summary
Security Documentation
SECURITY.md		 Removed GitHub private vulnerability reporting UI guidance and added direct reporting instructions via NVIDIA Vulnerability Disclosure Program link and psirt@nvidia.com email.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A rabbit hops through security's hall,
Updating the paths for disclosure calls,
GitHub's old way now fades from sight,
NVIDIA's direct route shines bright,
Safer channels help vulnerabilities fall! 🔐

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: updating documentation to clarify the PSIRT (NVIDIA Product Security Incident Response Team) reporting path for vulnerabilities.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@13ernkastel 13ernkastel changed the title [codex] docs(security): clarify PSIRT reporting path [feat] docs(security): clarify PSIRT reporting path Apr 3, 2026
@13ernkastel 13ernkastel marked this pull request as ready for review April 3, 2026 12:47
@wscurran wscurran added documentation Improvements or additions to documentation security Something isn't secure priority: medium Issue that should be addressed in upcoming releases labels Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation priority: medium Issue that should be addressed in upcoming releases security Something isn't secure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@13ernkastel @wscurran