Document dependency CVE policy in SECURITY.md

BagToad · Copilot · BagToad · commit 73d65ed7012f · 2026-04-08T11:28:30.000-06:00
Clarify that a dependency having a CVE does not mean gh has a
vulnerability. We use govulncheck for reachability analysis and
ask reporters to demonstrate impact before we act on dependency CVE
reports.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -11,6 +11,8 @@ If you believe you have found a security vulnerability in GitHub CLI, you can re
 
 **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
 
+A dependency having a CVE does not mean `gh` has a vulnerability. We use [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) to determine whether vulnerable symbols are actually reachable from `gh`'s code. If you are reporting a dependency CVE, please include evidence that the issue is exploitable in `gh`: a call chain into the affected symbols or a proof of concept. Reports that only list a dependency version and CVE without demonstrating impact will be closed.
+
 Thanks for helping make GitHub safe for everyone.
 
   [private vulnerability reporting]: https://github.com/cli/cli/security/advisories
