docs: improve vulnerability reporting guide

[miyoungc]

Summary

Previews:

• README.md#security
• SECURITY.md
  

Signed-off-by: Miyoung Choi miyoungc@nvidia.com

Type of Change

• Code change for a new feature, bug fix, or refactor.
• Code change with doc updates.
• Doc only. Prose changes without code sample modifications.
• Doc only. Includes code sample changes.

Testing

• npx prek run --all-files passes (or equivalently make check).
• npm test passes.
• make docs builds without warnings. (for doc-only changes)

Checklist

General

• I have read and followed the contributing guide.
• I have read and followed the style guide. (for doc-only changes)

Code Changes

• Formatters applied — npx prek run --all-files auto-fixes formatting (or make format for targeted runs).
• Tests added or updated for new or changed behavior.
• No secrets, API keys, or credentials committed.
• Doc pages updated for any user-facing behavior changes (new commands, changed defaults, new features, bug fixes that contradict existing docs).

Doc Changes

• Follows the style guide. Try running the update-docs agent skill to draft changes while complying with the style guide. For example, prompt your agent with "/update-docs catch up the docs for the new changes I made in this PR."
• New pages include SPDX license header and frontmatter, if creating a new page.
• Cross-references and links verified.

Summary by CodeRabbit

• Documentation
  • Simplified the documentation index table headers and adjusted page entries (e.g., renamed “CLI Reference” to “CLI Commands”).
  • Expanded the security reporting guidance into a detailed policy with clear "no public issue" instructions and step‑by‑step expectations.
  • Added explicit private reporting channels (encrypted email, vendor disclosure program, and private GitHub reporting) and clarified required vulnerability details.
  • Added a “Report Vulnerabilities” resource link and pointers to vendor security bulletins and policies.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated repository documentation to expand and reorganize security vulnerability reporting guidance: README.md adjusts the documentation table and Security section; SECURITY.md adds detailed reporting channels, submission steps, checklist, and expected handling; docs/index.md adds a "Report Vulnerabilities" link to SECURITY.md.

Changes

Cohort / File(s)	Summary
Security Documentation README.md, SECURITY.md, docs/index.md	README: removed Type column, renamed headers to `Page

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 I nibble notes by lantern light,

"Report securely," the burrow writes,
Encrypted hops to PSIRT's door,
No public trails across the floor,
Safe warren, safe code—I thump for more.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main changes: improvements to vulnerability reporting documentation across README.md, SECURITY.md, and docs/index.md.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/report-vulnerabilities

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

README.md (1)

1-2: ⚠️ Potential issue | 🟠 Major

Add the required SPDX header at the top of README.md.

The Markdown SPDX copyright/license header is missing.

Proposed fix

+<!--
+  SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+  SPDX-License-Identifier: Apache-2.0
+-->
+
 # 🦞 NVIDIA NemoClaw: Reference Stack for Running OpenClaw in OpenShell

As per coding guidelines, **/*.{js,cjs,mjs,ts,tsx,sh,md} files must include SPDX headers and Markdown files must use HTML comments.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 1 - 2, Add the required SPDX Markdown header to the
top of README.md (above the existing title line "# 🦞 NVIDIA NemoClaw: Reference
Stack for Running OpenClaw in OpenShell"): insert the two HTML comment SPDX
lines (copyright text and SPDX-License-Identifier) as per project policy so the
file contains the SPDX header in HTML comment form for Markdown files; ensure
the header appears before any other content and follows the same format used
across other docs in the repo.

🧹 Nitpick comments (1)

SECURITY.md (1)

8-8: Use active voice in these sentences.

Both lines use passive constructions; rewrite to active voice for docs consistency.

As per coding guidelines, "Active voice required. Flag passive constructions."

Also applies to: 53-53

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` at line 8, Rewrite the passive sentences to active voice:
replace "If a potential security issue is inadvertently reported through a
public channel, NVIDIA maintainers may limit public discussion and redirect the
reporter to the appropriate private disclosure channels." with an active-voice
version that names the actor and direct object (for example: "If you
inadvertently report a potential security issue through a public channel, NVIDIA
maintainers may limit public discussion and will redirect you to the appropriate
private disclosure channels."); apply the same change to the related sentence at
the other occurrence (the line referenced as also applies to: 53-53) so both
instances use active voice and address the reporter directly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@SECURITY.md`:
- Around line 1-3: Add an SPDX header HTML comment at the very top of the
Markdown file before the "## Security" heading: insert the required SPDX
copyright and license block (in HTML comment form) as specified by the coding
guidelines so the file includes the SPDX header for Markdown files; ensure the
comment appears above the existing "## Security" line.

---

Outside diff comments:
In `@README.md`:
- Around line 1-2: Add the required SPDX Markdown header to the top of README.md
(above the existing title line "# 🦞 NVIDIA NemoClaw: Reference Stack for
Running OpenClaw in OpenShell"): insert the two HTML comment SPDX lines
(copyright text and SPDX-License-Identifier) as per project policy so the file
contains the SPDX header in HTML comment form for Markdown files; ensure the
header appears before any other content and follows the same format used across
other docs in the repo.

---

Nitpick comments:
In `@SECURITY.md`:
- Line 8: Rewrite the passive sentences to active voice: replace "If a potential
security issue is inadvertently reported through a public channel, NVIDIA
maintainers may limit public discussion and redirect the reporter to the
appropriate private disclosure channels." with an active-voice version that
names the actor and direct object (for example: "If you inadvertently report a
potential security issue through a public channel, NVIDIA maintainers may limit
public discussion and will redirect you to the appropriate private disclosure
channels."); apply the same change to the related sentence at the other
occurrence (the line referenced as also applies to: 53-53) so both instances use
active voice and address the reporter directly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 136fcc91-41d4-4dd4-bd11-a080303539ee

📥 Commits

Reviewing files that changed from the base of the PR and between 2cb6ed8 and b55c15c.

📒 Files selected for processing (3)

• README.md
• SECURITY.md
• docs/index.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add the required SPDX header block at the top of this Markdown file.

This file is missing the required SPDX copyright and license header in HTML comment form.

Proposed fix

+<!--
+  SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+  SPDX-License-Identifier: Apache-2.0
+-->
+
 <!-- markdownlint-disable MD041 -->
 ## Security

As per coding guidelines, **/*.{js,cjs,mjs,ts,tsx,sh,md} files must include SPDX headers and Markdown files must use HTML comments.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<!-- markdownlint-disable MD041 -->
	## Security
	<!--
	SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
	SPDX-License-Identifier: Apache-2.0
	-->
	<!-- markdownlint-disable MD041 -->
	## Security

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SECURITY.md` around lines 1 - 3, Add an SPDX header HTML comment at the very
top of the Markdown file before the "## Security" heading: insert the required
SPDX copyright and license block (in HTML comment form) as specified by the
coding guidelines so the file includes the SPDX header for Markdown files;
ensure the comment appears above the existing "## Security" line.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

README.md (1)

1-1: ⚠️ Potential issue | 🟠 Major

Add required SPDX header at the top of this Markdown file.

README.md is missing the required SPDX license header comments.

Proposed fix

+<!-- SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. -->
+<!-- SPDX-License-Identifier: Apache-2.0 -->
+
 # 🦞 NVIDIA NemoClaw: Reference Stack for Running OpenClaw in OpenShell

As per coding guidelines, “**/*.{js,cjs,mjs,ts,tsx,sh,md}: Include SPDX license header at the top of every source file … Use # comments for shell scripts and HTML comments for Markdown files.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 1, Add the required SPDX license header as an HTML comment
at the very top of README.md (above the "# 🦞 NVIDIA NemoClaw..." title). Insert
a one-line or multi-line HTML comment containing the SPDX copyright/text and
SPDX-License-Identifier (e.g., SPDX-FileCopyrightText and
SPDX-License-Identifier fields) so the Markdown file complies with the project's
SPDX header rule.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@README.md`:
- Line 1: Add the required SPDX license header as an HTML comment at the very
top of README.md (above the "# 🦞 NVIDIA NemoClaw..." title). Insert a one-line
or multi-line HTML comment containing the SPDX copyright/text and
SPDX-License-Identifier (e.g., SPDX-FileCopyrightText and
SPDX-License-Identifier fields) so the Markdown file complies with the project's
SPDX header rule.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 394a2a47-f2eb-40f8-84dd-ca196d0015f7

📥 Commits

Reviewing files that changed from the base of the PR and between b55c15c and 1b04f57.

📒 Files selected for processing (1)

• README.md

[krmurph]

LGTM