liuyu/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-06-06 05:51:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs: remove public GHSA fix mechanism details

Browse Source
This commit is contained in:
Peter Steinberger
2026-05-28 16:30:09 +01:00
parent f8c8c0d41e
commit 79e733cc34
2 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.agents/skills/openclaw-ghsa-maintainer/SKILL.md
View File

@@ -85,4 +85,4 @@ jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'
- Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.
- A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.
- Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.
- Public hardening/no-publish comments and draft text should avoid raw commit hashes. Prefer release versions, PRs, patched-version fields, or "the fix on main"; keep full SHAs in internal evidence unless publishing a real CVE/GHSA needs them.
- Public hardening/no-publish comments and draft text should avoid raw commit hashes, PR titles/numbers, and fix-mechanism summaries. Prefer patched-version fields or release-only wording; keep SHAs, PRs, and implementation notes in internal evidence.

7
.agents/skills/security-triage/SKILL.md
View File

@@ -94,9 +94,10 @@ Keep tone firm, specific, non-defensive.
## Public Wording Hygiene
- Keep raw commit hashes out of hardening/no-publish close comments and public advisory text. Use the shipped version, planned patched version, PR, or "the fix on main" instead.
- Keep exact commit SHAs in internal notes and verification files. Include raw SHAs in a public advisory only when publishing a real vulnerability and the SHA materially helps downstream tracking.
- For hardening/no-publish outcomes, do not add exploit-heavy details or a "Fix Commit(s)" section. Thank reporters, preserve credit, state the `SECURITY.md` boundary, and say clearly that the GHSA will close without publication.
- Keep raw commit hashes, PR titles/numbers, and fix-mechanism summaries out of public advisory text. Use the patched release/version field only.
- Keep exact commit SHAs, PRs, and implementation notes in internal notes and verification files.
- For hardening/no-publish outcomes, do not add exploit-heavy details, "Fixed by" text, or a "Fix Commit(s)" section. Thank reporters, preserve credit, state the `SECURITY.md` boundary, and say clearly that the GHSA will close without publication.
- For published CVE/GHSA text, prefer `### Patched Versions` with the fixed release. Do not explain how the patch works unless Peter explicitly asks for that public detail.
- Keep GHSA ids out of changelog and release-note wording unless Peter explicitly asks.
## Discussion Mode