From 73d65ed7012fdd3d3dea021ec5a117fdb64efd29 Mon Sep 17 00:00:00 2001
From: Kynan Ware <47394200+BagToad@users.noreply.github.com>
Date: Wed, 8 Apr 2026 11:28:30 -0600
Subject: [PATCH] Document dependency CVE policy in SECURITY.md

Clarify that a dependency having a CVE does not mean gh has a
vulnerability. We use govulncheck for reachability analysis and
ask reporters to demonstrate impact before we act on dependency CVE
reports.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/SECURITY.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index 50e489c54..76bb91fc7 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -11,6 +11,8 @@ If you believe you have found a security vulnerability in GitHub CLI, you can re
 
 **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
 
+A dependency having a CVE does not mean `gh` has a vulnerability. We use [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) to determine whether vulnerable symbols are actually reachable from `gh`'s code. If you are reporting a dependency CVE, please include evidence that the issue is exploitable in `gh`: a call chain into the affected symbols or a proof of concept. Reports that only list a dependency version and CVE without demonstrating impact will be closed.
+
 Thanks for helping make GitHub safe for everyone.
 
   [private vulnerability reporting]: https://github.com/cli/cli/security/advisories