Skip to content

✨ Factor private vulnerability reporting into Security-Policy#5073

Open
bmendonca3 wants to merge 1 commit into
ossf:mainfrom
bmendonca3:feat-private-vuln-reporting-security-policy
Open

✨ Factor private vulnerability reporting into Security-Policy#5073
bmendonca3 wants to merge 1 commit into
ossf:mainfrom
bmendonca3:feat-private-vuln-reporting-security-policy

Conversation

@bmendonca3

@bmendonca3 bmendonca3 commented May 29, 2026

Copy link
Copy Markdown

What this PR does

Adds GitHub private vulnerability reporting as an experimental Security-Policy probe and factors it into the Security-Policy score.

Specifically, this:

  • reads GitHub private vulnerability reporting status through the REST API when available
  • returns OutcomeNotApplicable when the setting is unavailable or unsupported
  • gives Security-Policy an 8/10 floor when private vulnerability reporting is enabled
  • keeps existing 10/10 behavior for complete security policies
  • updates generated probe/check docs and OSPS baseline coverage notes

Refs #2465.

Testing

  • go test ./probes/securityPolicyPrivateVulnerabilityReportingEnabled -count=1
  • go test ./checks/evaluation -run TestSecurityPolicy -count=1
  • go test ./checks/raw -run 'TestSecurityPolicy|TestPrivateVulnerabilityReportingStatus' -count=1
  • go test ./checks -run TestSecurityPolicy -count=1
  • go test ./clients/githubrepo -run TestDoesNotExist -count=1
  • go test ./checks/... ./probes/securityPolicyPrivateVulnerabilityReportingEnabled -count=1
  • make validate-docs
  • git diff --check
Security-Policy now factors GitHub private vulnerability reporting into the score when the setting is available.

@bmendonca3
feat: factor private vulnerability reporting into security policy
a3fb2b9 
Signed-off-by: bmendonca3 <208517100+bmendonca3@users.noreply.github.com>
@bmendonca3 bmendonca3 requested a review from a team as a code owner May 29, 2026 00:41
@bmendonca3 bmendonca3 requested review from jeffmendoza and justaugustus and removed request for a team May 29, 2026 00:41
@dosubot dosubot Bot added the size:L This PR changes 100-499 lines, ignoring generated files. label May 29, 2026
justaugustus
justaugustus reviewed May 29, 2026
View reviewed changes

@justaugustus justaugustus left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See note about AI contributions —> ossf/allstar#841 (comment)

@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions Bot added the Stale label Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justaugustus justaugustus justaugustus left review comments

@jeffmendoza jeffmendoza Awaiting requested review from jeffmendoza jeffmendoza is a code owner automatically assigned from ossf/scorecard-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:L This PR changes 100-499 lines, ignoring generated files. Stale

Projects

OpenSSF Scorecard
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bmendonca3 @justaugustus