Table of Contents generated with DocToc
<Project Name> — private scanner products + finder anonymisationThis file lists the private scanner products whose name must not appear in any public CVE surface for this project, and declares the finder-anonymisation policy the security-issue-sync skill applies during sync.
The CVE-JSON generator reads three body fields verbatim into public surfaces:
containers.cna.descriptions[].valuecontainers.cna.credits[].value (type finder)The sync skill‘s anonymise gate (Step 1d signal row + Step 5b 1b sixth pre-push gate) scrubs the first two of those when the report came in through a private scanner channel. The Security mailing list thread field stays untouched (it is the team’s audit trail).
Each row lists one scanner product whose name must be stripped from public CVE surfaces when its findings flow into trackers on this project. Add a row per scanner the project's security team works with privately.
| Product name (token) | Discovery channel | Notes |
|---|---|---|
TODO: <scanner-product> | TODO: <channel — internal SAST, partner-shared, unpublished bug-bounty pipeline, vendor private disclosure> | TODO: <one-line context — why the name is sensitive, contract clause if any> |
Token format. The scanner-product token is the literal string the scrubber matches against the Short public summary text and the Security mailing list thread field. Match is case-insensitive substring. Add aliases on separate rows when a product has multiple names.
When this list is empty. If the project‘s security team never receives findings from private scanners (every report arrives via security@<project>.apache.org from a named individual), leave this table empty with a note to that effect. The sync skill’s anonymise gate becomes a no-op.
The anonymise gate applies the following rule when the Security mailing list thread field references one of the products above:
anonymous and strip the scanner-product name from the Short public summary for publish body field text.The scrubber must not anonymise a credit that was already public elsewhere:
security@ message (i.e. they sent the report themselves, named themselves, and asked to be credited).In any of these cases the credit was public-by-the-finder's- choice before this CVE shipped; the scrubber is for the opposite scenario (no explicit public consent).
A finder can opt back in to public credit by sending an explicit “please credit me as <name>” line on the thread. Record the consent in the tracker's status-rollup comment, set the Reporter credited as field to the consented form, and the gate stops firing for that tracker.
The Step 1d signal row fires when all of the following are true:
<First> <Last> pattern) rather than anonymous / a known public handle.security@ message; no public org-disclosed channel).When the signal fires, sync proposes the rewrite as a numbered Step 2 item; the user confirms or skips per the normal proposal flow.
security-issue-sync skill. The other five are title cleanup, upgrade-target version, trigger conditions, incomplete-fix cross-CVE clause, and CWE long-form description.<tracker>” rules in AGENTS.md.users@<project>.apache.org thread — the draft is composed from the same Short public summary the sync skill polished, so the anonymise scrub is a one-time fix that propagates downstream.