Table of Contents generated with DocToc
Agentic Drafting-time elaboration of the tracker-confidentiality rules. The load-bearing rules — the three-layer model (identifiers public, contents private, security-framing embargoed), the “what public surfaces must not contain” checklist, the content scrub, and “other ASF projects” — live inline in AGENTS.md. This file holds the two how-to elaborations that an agent loads when it is actually composing reporter-facing or public text.
When the recipient is an external reporter, a public-PR reviewer who is not on the security team, or any other audience without read access to <tracker>, pair the URL with a one-line note that the link is an identifier only:
Tracking this internally as
https://github.com/<tracker>/issues/NNN(private — you will not be able to view the page; included as a stable identifier so we both reference the same issue across messages).
Wording is not load-bearing; the load-bearing element is that the recipient knows the link will 404 for them and that this is expected. The note can be omitted on surfaces where every viewer is a security-team member (the tracker itself, <security-list> threads restricted to the team, internal docs, rollup entries).
<upstream> PR descriptions and commit messages — may include the tracker URL as a cross-reference, so long as the surrounding text does not characterise the PR as a security fix (no CVE ID, no “vulnerability”, no “security advisory” framing). The URL alone is opaque to non-team viewers.references[] once the advisory ships. For records still in DRAFT / REVIEW state it stays internal-only.gh issue comment calls inside the tracker repository — fine, they land on private issues.<security-list> private mail threads — fine.<private-list> PMC escalation mails — fine.