Merge pull request #52 from ossf/taladrane-patch-1

Minor updates to the "if you're using GitHub" section
ossf · Dec 18, 2023 · 1ec7e18 · 1ec7e18
2 parents 8f63009 + 434837b
commit 1ec7e18
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/maintainer-guide.md b/maintainer-guide.md
@@ -126,11 +126,11 @@ The vulnerability reporter is doing you a favor; don't add more steps than absol
 
 ##### If you are using GitHub
 
-If your project is on GitHub, we recommend [enabling privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability), even though that feature is currently only in beta. This is an easy-to-use mechanism, and ease of use is key.
+If your project is on GitHub, we recommend [enabling privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). This is an easy-to-use mechanism, and ease of use is key.
 
 We recommend that you also follow the directions for [another service](#if-you-are-using-another-service). In particular, include email address(es) people can use for reporting instead of the GitHub private reporting mechanism.
 
-You may choose to use GitHub Security Advisory without enabling private reporting, but if you don't enable private reporting, only selected users can report vulnerabilities.
+You may choose to use GitHub Security Advisories for disclosure without enabling private reporting, but if you don't explicitly enable private reporting, users will be unable to report to you privately on GitHub.
 
 If you choose to use GitHub Security Advisory for private patch development, here's how we recommend supplementing it.
 Your Security Policy should instruct reporters to email the VMT with a vulnerability report ([see `SECURITY.md` templates](https://github.com/ossf/oss-vulnerability-guide/tree/main/templates/security_policies)). The VMT will then open a Security Advisory and add the reporter as a collaborator ([see GitHub documentation on GitHub Security Advisory](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-github-security-advisories)). It is also appropriate to email that alias for questions about the vulnerability disclosure process.