Security

Security work is speed-first, but not sloppy. The goal is to fix real user risk quickly without giving attackers a clearer map before users have the fix.

Operating Rules

  • GHSA fixes usually go directly to main.
  • Generally do not open a PR for a GHSA fix.
  • Do not proceed until you understand the direct-to-main exception and its tradeoffs.
  • The normal maintainer PR flow still applies to non-security work.
  • If a report involves auth, sandboxing, command execution, file access, token handling, update paths, or provider boundaries, treat it as security-relevant until proven otherwise.

Metadata Hygiene

  • Keep commit messages vague while fixes roll out.
  • Do not include GHSA references, CVEs, issue numbers, advisory links, root cause, exploit path, impacted subsystem, or security impact in public metadata.
  • Avoid branch names, PR titles, and comments that explain the vulnerability before users can upgrade.
  • Keep real discussion in maintainer channels.

Triage Standard

  • Be strict about what counts as a vulnerability.
  • Opt-in features that users must explicitly enable can be out of scope.
  • Hardening-only reports should stay in triage, get the hardening work, receive a completion comment, and then close.
  • Do not move hardening-only advisories to draft if the team does not accept them as valid vulnerabilities.
  • When unsure, discuss in #maintainer-security-ops before accepting.

Coordination

  • Post the GHSA link in #maintainer-security-ops when you pick it up.
  • Post start and end of shift so other triagers know the live state.
  • Peter owns GHSA state changes.
  • Keep GHSA comments final-output quality. Assume they may be read by a broader audience.

Detector Follow-Up

  • After normal GHSA triage or remediation establishes the concrete bug behavior, consider ghsa-opengrep-detector.
  • Use detector work to prevent regressions or catch verified variants.
  • Do not let detector creation replace triage, remediation, or advisory state judgment.
  • If a report is out of scope, hardening-only, or performance-only, skip detector work unless maintainers explicitly want defense-in-depth coverage.