Skip to content

Commit 2119383

Browse files
authored
Merge pull request cli#13119 from cli/kw/security-md-dep-cve-policy
Document dependency CVE policy in SECURITY.md
2 parents a646bbe + 73d65ed commit 2119383

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

.github/SECURITY.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ If you believe you have found a security vulnerability in GitHub CLI, you can re
1111

1212
**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
1313

14+
A dependency having a CVE does not mean `gh` has a vulnerability. We use [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) to determine whether vulnerable symbols are actually reachable from `gh`'s code. If you are reporting a dependency CVE, please include evidence that the issue is exploitable in `gh`: a call chain into the affected symbols or a proof of concept. Reports that only list a dependency version and CVE without demonstrating impact will be closed.
15+
1416
Thanks for helping make GitHub safe for everyone.
1517

1618
[private vulnerability reporting]: https://github.com/cli/cli/security/advisories

0 commit comments

Comments
 (0)