Skip to main content
AI/MLjmagly

security-disclosure-track

Track private vulnerability reports from triage through fix, CVE coordination, embargo, publication, and post-disclosure closure

Stars
141
Source
jmagly/aiwg
Updated
2026-05-31
Slug
jmagly--aiwg--security-disclosure-track
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/jmagly/aiwg/HEAD/agentic/code/frameworks/security-engineering/skills/security-disclosure-track/SKILL.md -o .claude/skills/security-disclosure-track.md

Drops the SKILL.md into .claude/skills/security-disclosure-track.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Security Disclosure Track

Manage the advisory lifecycle after security-report intake. This is the closure-loop companion for private vulnerability disclosure and completes curl Practice 27 coverage.

Stages

  1. Triage: validate scope, severity, affected versions, reproduction, reporter contact, and embargo clock.
  2. Fix: create private implementation plan; avoid public issue leakage; record commits/patches by hash.
  3. CVE: determine whether CVE assignment is needed; record CNA/contact path.
  4. Publication: prepare advisory, patched versions, acknowledgements, and release notes.
  5. Close: confirm disclosure complete, custody record finalized, public advisory linked.

Custody Record

Records live under .aiwg/security-engineering/reviews/disclosures/ and are ignored by default. Each transition appends timestamp, actor, evidence, decision, and next deadline.

References

  • agentic/code/frameworks/security-engineering/skills/security-report/SKILL.md
  • agentic/code/frameworks/security-engineering/templates/SECURITY.md