To report a security vulnerability privately, use GitHub's Private Vulnerability Reporting feature. Submit your report through the Security Advisories page. All reports are kept confidential and are not publicly visible until a fix is released.
Do not open a public issue for security vulnerabilities.
If you find a security issue (exposed credentials, sensitive data in history, etc.):
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Submit details through the private form
We commit to acknowledging all vulnerability reports within 14 days of submission (typically within 5 business days). For this repository, most issues will resolve quickly since no application code or infrastructure is involved.
This is a personal reference library containing writing style guides and legal drafting standards. It holds no credentials, keys, or sensitive personal data. The primary security concern is accidental credential or PII exposure in commits.
- Secrets detection: Trufflehog scans commits via Qlty (
.qlty/qlty.toml) - Pattern scanning: Ripgrep flags credential-shaped strings
- Git-ignored locals: PDF sources and extracted text are never committed
Two GitHub Actions secrets are used: SONAR_TOKEN and QLTY_COVERAGE_TOKEN.
The first authenticates SonarCloud analysis; the second authenticates Qlty coverage
reporting. Both tokens must be fine-grained service-issued credentials scoped to the
minimum permissions required by each service (SonarCloud project-scoped tokens and Qlty
repo-scoped tokens); classic GitHub PATs must not be used as repository or organization
secrets. Verify the current values match this requirement at
Settings > Secrets and variables > Actions at least every 60 days, alongside the
known-vulnerabilities reassessment cadence. If either token is found to be a classic PAT,
rotate to a fine-grained credential immediately. Both tokens are rotated annually
or immediately upon any indicator of compromise (unexpected API activity, token exposure
in logs, or repository access anomaly). To rotate, generate a new token from the
respective service dashboard and update it at Settings > Secrets and variables >
Actions in the GitHub repository settings.
Policy mirrors ByronWilliamsCPA/.github SECURITY.md.