blob: ff6cbeac08c4210ea9f455afcad5f4edd76a72d3 [file] [view]
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)*
- [TODO: `<Project Name>` — private scanner products + finder anonymisation](#todo-project-name--private-scanner-products--finder-anonymisation)
- [Private scanner products to anonymise](#private-scanner-products-to-anonymise)
- [Finder anonymisation policy](#finder-anonymisation-policy)
- [Exempt cases (keep the named credit)](#exempt-cases-keep-the-named-credit)
- [Per-finder override](#per-finder-override)
- [Detection signal — how the skill recognises a private-scanner thread](#detection-signal--how-the-skill-recognises-a-private-scanner-thread)
- [Related rules](#related-rules)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- SPDX-License-Identifier: Apache-2.0
https://www.apache.org/licenses/LICENSE-2.0 -->
# TODO: `<Project Name>` — private scanner products + finder anonymisation
This file lists the **private scanner products** whose name must
not appear in any public CVE surface for this project, and
declares the **finder-anonymisation policy** the
[`security-issue-sync`](../../skills/security-issue-sync/SKILL.md)
skill applies during sync.
The CVE-JSON generator reads three body fields verbatim into
public surfaces:
- *Short public summary for publish* → `containers.cna.descriptions[].value`
- *Reporter credited as* → `containers.cna.credits[].value` (type `finder`)
- *Security mailing list thread* → **private audit trail**,
not pushed to the CVE record
The sync skill's anonymise gate (Step 1d signal row +
Step 5b 1b sixth pre-push gate) scrubs the first two of those
when the report came in through a private scanner channel. The
*Security mailing list thread* field stays untouched (it is the
team's audit trail).
## Private scanner products to anonymise
Each row lists one scanner product whose name must be stripped
from public CVE surfaces when its findings flow into trackers
on this project. Add a row per scanner the project's security
team works with privately.
| Product name (token) | Discovery channel | Notes |
|---|---|---|
| TODO: `<scanner-product>` | TODO: `<channelinternal SAST, partner-shared, unpublished bug-bounty pipeline, vendor private disclosure>` | TODO: `<one-line contextwhy the name is sensitive, contract clause if any>` |
**Token format.** The scanner-product token is the literal
string the scrubber matches against the *Short public summary*
text and the *Security mailing list thread* field. Match is
case-insensitive substring. Add aliases on separate rows when
a product has multiple names.
**When this list is empty.** If the project's security team
never receives findings from private scanners (every report
arrives via `security@<project>.apache.org` from a named
individual), leave this table empty with a note to that
effect. The sync skill's anonymise gate becomes a no-op.
## Finder anonymisation policy
The anonymise gate applies the following rule when the *Security
mailing list thread* field references one of the products
above:
1. **Default**: rewrite the *Reporter credited as* field to
`anonymous` and strip the scanner-product name from the
*Short public summary for publish* body field text.
2. **Audit trail stays**: the *Security mailing list thread*
field, the status-rollup comment, and the Gmail / PonyMail
thread keep the original scanner-product + person-name
references for security-team auditing.
### Exempt cases (keep the named credit)
The scrubber must **not** anonymise a credit that was already
public elsewhere:
- The finder has a public **HackerOne** or **huntr.dev** report
URL on the thread.
- The finder self-credited under their real name in their own
inbound `security@` message (i.e. they sent the report
themselves, named themselves, and asked to be credited).
- The finder's organisation publicly disclosed the discovery
channel (a vendor blog post, an ASF community announcement,
a public CVE record that already names them).
In any of these cases the credit was public-by-the-finder's-
choice before this CVE shipped; the scrubber is for the
opposite scenario (no explicit public consent).
### Per-finder override
A finder can opt back **in** to public credit by sending an
explicit *"please credit me as `<name>`"* line on the thread.
Record the consent in the tracker's status-rollup comment, set
the *Reporter credited as* field to the consented form, and
the gate stops firing for that tracker.
## Detection signal — how the skill recognises a private-scanner thread
The Step 1d signal row fires when **all** of the following
are true:
1. The *Security mailing list thread* body field's text
contains one of the scanner-product tokens declared above
(case-insensitive substring).
2. The *Reporter credited as* body field names a person
(`<First> <Last>` pattern) rather than `anonymous` /
a known public handle.
3. None of the exempt-case signals above is present on the
tracker (no public HackerOne/huntr.dev URL; no inbound
self-naming `security@` message; no public org-disclosed
channel).
When the signal fires, sync proposes the rewrite as a
numbered Step 2 item; the user confirms or skips per the
normal proposal flow.
## Related rules
- The anonymise rule is one of **six pre-push hygiene gates**
in [Step 5b 1b](../../skills/security-issue-sync/apply-and-push.md#decision-flow)
of the `security-issue-sync` skill. The other five are
title cleanup, upgrade-target version, trigger conditions,
incomplete-fix cross-CVE clause, and CWE long-form
description.
- The CVE-record-bound surfaces also follow the broader
"Confidentiality of `<tracker>`" rules in
[`AGENTS.md`](../../AGENTS.md#confidentiality-of-the-tracker-repository).
- The same anonymisation rule indirectly applies to advisory
mail drafted on the `users@<project>.apache.org` thread —
the draft is composed from the same *Short public summary*
the sync skill polished, so the anonymise scrub is a
one-time fix that propagates downstream.