Improve clarity in Security Policy paragraph

[tarini0782]

Updated SECURITY.md to improve readability while keeping the original meaning.

Summary by CodeRabbit

• Documentation
  • Reworked security reporting into a privacy-first, private-report workflow (report via email) and updated warning formatting.
  • Removed references and links to the previous public-disclosure process and schedule.
  • Added a detailed "How to Report a Security Vulnerability" section with step-by-step reporting, required details, guidance on secure messaging, confidentiality expectations, and that public disclosure happens only after internal review.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

SECURITY.md was revised to remove the public vulnerability-disclosure flow and Vulnerability Management Process link, reformat the warning, and add a private-first "How to Report a Security Vulnerability" workflow with detailed reporting steps, confidentiality guidance, secure-message/public-key handling, and staged internal vs. public disclosure (41 words).

Changes

Cohort / File(s)	Summary
Documentation Update SECURITY.md	Rewrote "Reporting Vulnerabilities": converted warning to block format; removed public-disclosure schedule and old Vulnerability Management Process link; introduced private reporting workflow directing reporters to security@wso2.com; added detailed "How to Report" steps, required info, secure messaging/public-key note, and staged internal→public disclosure guidance.

Sequence Diagram(s)

sequenceDiagram
    participant Reporter
    participant SecurityTeam
    participant EncryptionService
    participant Engineering
    participant Public

    Reporter->>SecurityTeam: Submit vulnerability report (email, details, PoC)
    alt reporter sends encrypted message
        Reporter->>EncryptionService: Provide public-key encrypted payload
        EncryptionService->>SecurityTeam: Deliver decrypted report
    end
    SecurityTeam->>Engineering: Validate and triage issue
    Engineering-->>SecurityTeam: Fix and remediation details
    SecurityTeam->>Reporter: Acknowledge, coordinate disclosure timeline
    SecurityTeam->>Public: Publish advisory after coordinated disclosure

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 I nibble at lines, tuck secrets away,

I turn loud flags hushed, for a safer day,
"Send softly, lock tightly," I whisper with glee,
A public key wink—safe as a tree,
We hop, we patch, then shout — quietly.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Improve clarity in Security Policy paragraph' is partially related to the changeset but does not capture the main change. The primary modification is a comprehensive restructuring of the vulnerability reporting workflow with new private reporting guidance, not merely a clarity improvement to a single paragraph.	Consider a more specific title that reflects the actual scope: e.g., 'Add private vulnerability reporting workflow and remove external link dependencies' or 'Restructure Security Policy with comprehensive private reporting guidance'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 03c427a and ac4e3db.

📒 Files selected for processing (1)

• SECURITY.md

🚧 Files skipped from review as they are similar to previous changes (1)

• SECURITY.md

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tarini0782]

Updated SECURITY.md to improve clarity and readability while keeping original meaning.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @SECURITY.md:
- Around line 5-12: The two external links in SECURITY.md (the "Vulnerability
Management Process" and "Security Vulnerability Reporting Guidelines") are
inaccessible (403) and must be removed or replaced; update the SECURITY.md
content to either point to publicly-accessible equivalents or delete those link
references and instead provide a brief internal summary of the process and
reporting steps, ensure the mailto security@wso2.com and mention of the public
key remain (or link to a reachable public key URL), and verify the updated text
around the phrases "Vulnerability Management Process" and "Security
Vulnerability Reporting Guidelines" no longer references the broken docs.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c16a70e and fc7bbd1.

📒 Files selected for processing (1)

• SECURITY.md

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @SECURITY.md:
- Around line 5-12: The SECURITY.md references two inaccessible URLs; verify
whether the correct public links are different or if the docs moved and update
the two URLs (https://security.docs.wso2.com/en/latest/security-processes/ and
https://security.docs.wso2.com/en/latest/security-reporting/report-security-issues/)
to working locations, or remove those external links and instead embed the
essential reporting guidance directly in SECURITY.md (include steps for private
reporting, expected information, PGP public key notice, and the existing
mailto:security@wso2.com contact). Ensure the mailto link remains unchanged and
add a brief note that external docs were removed or replaced for clarity.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fc7bbd1 and 2c97f8f.

📒 Files selected for processing (1)

• SECURITY.md

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @SECURITY.md:
- Around line 9-12: The two referenced links in SECURITY.md (the Vulnerability
Management Process URL and the Vulnerability Reporting Guidelines URL) return
HTTP 403 and must be replaced with publicly accessible URLs or removed; update
the markdown to point to the correct public pages (or an alternative public
guidance page) and ensure the public key/contact guidance remains valid —
specifically replace the two existing links to
https://security.docs.wso2.com/en/latest/security-processes/vulnerability-management-process/
and
https://security.docs.wso2.com/en/latest/security-reporting/report-security-issues/
with working public URLs or add a note directing users to an accessible security
portal and confirm the security@wso2.com public key statement remains accurate.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2c97f8f and 5f030f0.

📒 Files selected for processing (1)

• SECURITY.md

🔇 Additional comments (2)

SECURITY.md (2)

5-5: Improved warning format.

The blockquote format for the warning is clearer than plain text and properly draws attention to the security reporting requirement.

---

7-7: Clearer private reporting guidance.

The updated guidance is more explicit about the requirement to report privately before public disclosure, reducing ambiguity for security researchers.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

SECURITY.md (1)

11-23: Clear, structured reporting instructions with one minor ambiguity.

The step-by-step format is well-organized and the information requirements (product/version, description, reproduction steps, severity assessment) are appropriately comprehensive. The WSO2 response process is clearly explained. However, Line 19's reference to "the public key associated with the security mailing list" is vague—it doesn't indicate where or how reporters should find this key. Consider being more specific about the location or access method for the PGP public key.

💬 Suggested clarification for public key reference

-3. **Confidential communication:** If you wish to send secure messages, use the public key associated with the security mailing list.
+3. **Confidential communication:** If you wish to send secure messages, use the PGP public key for security@wso2.com (available at [URL/location]).

Replace [URL/location] with the actual location where your public key is hosted (e.g., a security keyserver, your organization's website, or a specific URL).

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5f030f0 and 03c427a.

📒 Files selected for processing (1)

• SECURITY.md

🔇 Additional comments (2)

SECURITY.md (2)

5-9: Strong security guidance with clear emphasis on private reporting.

The reformatted warning using blockquote styling is more prominent and accessible than plain text. The core guidance clearly directs reporters to security@wso2.com with explicit prohibition on public/forum disclosure, and the requirement for WSO2's internal handling to complete before public disclosure aligns with responsible disclosure practices.

---

25-25: Good closing note, but consider making it more informational.

The closing sentence explains the intent well. If there were previously broken links to external resources, this self-contained guidance is a solid improvement for reliability and user experience.

[tarini0782]

Updated SECURITY.md: embedded reporting instructions, removed inaccessible links, clarified PGP public key guidance. All steps now accessible and clear.