Back to Signal Feed
CodeTracked since May 19, 2026

Enable private vulnerability reporting on the canonical plugin repo

A merged PR closed a security-disclosure gap by fixing SECURITY.md’s advisory link to the canonical repository and enabling GitHub private vulnerability reporting, so private disclosures now land on the correct repo instead of a dead/legacy path.

SECURITY.mdGitHub Private Vulnerability ReportingGitHub APIjeremylongshore/claude-code-plugins-plus-skills

What Happened

  • A merged PR closed a security-disclosure gap by fixing SECURITY.md’s advisory link to the canonical repository and enabling GitHub private vulnerability reporting, so private disclosures now land on the correct repo instead of a dead/legacy path.
  • A merged PR closed a security-disclosure gap by fixing SECURITY.md’s advisory link to the canonical repository and enabling GitHub private vulnerability reporting, so private disclosures now land on the correct repo instead of a dead/legacy path.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Implemented a concrete security process fix by enabling private-vulnerability reporting via GitHub API on the canonical repository and correcting the advisories URL in SECURITY.md from the deprecated repo slug to `jeremylongshore/claude-code-plugins-plus-skills`, restoring a valid private disclosure path.

Why Track This

Why It Matters

Security researchers and maintainers can now submit vulnerability reports through a private channel on the correct repository, which reduces the chance that sensitive findings are blocked by broken links and dropped to public-facing or manual fallback paths; continue watching whether report intake remains visible and functional after repo/automation changes and whether any tooling still references the old advisories slug. The change specifically updates SECURITY.md and repo-level vulnerability-reporting settings so the disclosure workflow no longer resolves to the legacy project and now shows the GitHub "Report a vulnerability" entry point.

Impact

Security researchers and maintainers can now submit vulnerability reports through a private channel on the correct repository, which reduces the chance that sensitive findings are blocked by broken links and dropped to public-facing or manual fallback paths; continue watching whether report intake remains visible and functional after repo/automation changes and whether any tooling still references the old advisories slug. The change specifically updates SECURITY.md and repo-level vulnerability-reporting settings so the disclosure workflow no longer resolves to the legacy project and now shows the GitHub "Report a vulnerability" entry point.

What To Watch Next

  • Watch whether SECURITY.md becomes a repeated pattern.
  • Track follow-up changes around AI Governance and Compliance.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: legacy_advisories_slug_regression, private_reporting_button_disappears.
Open Topic TimelineOpen Technical EventOpen Original Sourcelegacy_advisories_slug_regression / private_reporting_button_disappears / vulnerability_ingest_monitoring_gap

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

jeremylongshore/claude-code-plugins-plus-skills PR #743: chore(security): refresh SECURITY.md + enable private vuln reporting (M5)

This update turns on private vulnerability reporting for `jeremylongshore/claude-code-plugins-plus-skills` and corrects advisory URLs in SECURITY.md to stop sending researchers to the old repo slug.