Add GitHub private vulnerability reporting info

ssh4net · ssh4net · commit 226b9c65ce04 · 2026-04-06T00:13:17.000+09:00
Update SECURITY.md and docs/sphinx/security.rst to add a "Reporting Vulnerabilities" section that directs users to GitHub private vulnerability reporting (https://github.com/ssh4net/OpenMeta/security/advisories/new). Request a minimal reproducer (file or hex snippet), build flags, and stack trace, and advise against publishing exploit details until a fix is available.
diff --git a/SECURITY.md b/SECURITY.md
@@ -104,8 +104,12 @@ cmake --build build-fuzz
 ./build-fuzz/openmeta_fuzz_exif_tiff_decode -max_total_time=60
 ```
 
-## Reporting
+## Reporting Vulnerabilities
 
-If you find a security issue, please provide a minimal reproducer file (or
-hex snippet), build flags, and stack trace. Avoid publishing exploit details
-until a fix is available.
+If you find a security issue, please use GitHub private vulnerability
+reporting:
+
+- https://github.com/ssh4net/OpenMeta/security/advisories/new
+
+Please provide a minimal reproducer file (or hex snippet), build flags, and
+stack trace. Avoid publishing exploit details until a fix is available.
diff --git a/docs/sphinx/security.rst b/docs/sphinx/security.rst
@@ -62,4 +62,15 @@ What the tests do
 - Unit tests cover normal and malformed inputs.
 - libFuzzer and FuzzTest targets exercise parsers under sanitizers.
 
+Reporting vulnerabilities
+-------------------------
+
+If you find a security issue, please use GitHub private vulnerability
+reporting:
+
+- https://github.com/ssh4net/OpenMeta/security/advisories/new
+
+Please include a minimal reproducer file (or hex snippet), build flags, and
+stack trace. Avoid publishing exploit details until a fix is available.
+
 For the full policy and threat model, see ``SECURITY.md`` in the repository.
