blob: 12bc5839f2174c299a1963a45d6fca1221591ac5 [file] [view]
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [Confidentiality — drafting elaboration](#confidentiality--drafting-elaboration)
- [Sharing a tracker URL with someone who cannot access it](#sharing-a-tracker-url-with-someone-who-cannot-access-it)
- [Where the tracker URLs are routinely OK to use](#where-the-tracker-urls-are-routinely-ok-to-use)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
# Confidentiality — drafting elaboration
Agentic Drafting-time elaboration of the tracker-confidentiality rules. The
load-bearing rules — the three-layer model (identifiers public, contents
private, security-framing embargoed), the "what public surfaces must not
contain" checklist, the content scrub, and "other ASF projects" — live
inline in
[`AGENTS.md`](../AGENTS.md#confidentiality-of-the-tracker-repository).
This file holds the two how-to elaborations that an agent loads when it
is actually composing reporter-facing or public text.
## Sharing a tracker URL with someone who cannot access it
When the recipient is an external reporter, a public-PR reviewer who is
not on the security team, or any other audience without read access to
`<tracker>`, **pair the URL with a one-line note** that the link is an
identifier only:
> Tracking this internally as
> `https://github.com/<tracker>/issues/NNN` (private — you will not
> be able to view the page; included as a stable identifier so we
> both reference the same issue across messages).
Wording is not load-bearing; the load-bearing element is that the
recipient knows the link will 404 for them and that this is expected.
The note can be omitted on surfaces where every viewer is a
security-team member (the tracker itself, `<security-list>` threads
restricted to the team, internal docs, rollup entries).
## Where the tracker URLs are routinely OK to use
- **Reporter emails** — *may* include the tracker URL in any status
update, paired with the explanatory note above. This makes
cross-message threading much cleaner for the reporter and gives
them a stable identifier to file the report under.
- **Public `<upstream>` PR descriptions and commit messages** —
*may* include the tracker URL as a cross-reference, **so long as
the surrounding text does not characterise the PR as a security
fix** (no CVE ID, no *"vulnerability"*, no *"security advisory"*
framing). The URL alone is opaque to non-team viewers.
- **Public CVE records and archived advisories** — the tracker URL
may appear in `references[]` once the advisory ships. For
records still in DRAFT / REVIEW state it stays internal-only.
- **`gh issue comment` calls inside the tracker repository** — fine,
they land on private issues.
- **`<security-list>` private mail threads** — fine.
- **`<private-list>` PMC escalation mails** — fine.