From b55c15c78796c266d7df1d19f28872179a15bf51 Mon Sep 17 00:00:00 2001
From: Miyoung Choi <miyoungc@nvidia.com>
Date: Mon, 30 Mar 2026 16:40:55 -0700
Subject: [PATCH 1/2] docs: improve vulnerability reporting guide

---
 README.md     | 10 ++++++++-
 SECURITY.md   | 62 ++++++++++++++++++++++++++++++++++++++-------------
 docs/index.md |  1 +
 3 files changed, 57 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 5b9ebd176..4c41a6a99 100644
--- a/README.md
+++ b/README.md
@@ -179,7 +179,15 @@ We welcome contributions. See [CONTRIBUTING.md](CONTRIBUTING.md) for development
 
 ## Security
 
-Report vulnerabilities privately. See [SECURITY.md](SECURITY.md).
+NVIDIA takes security seriously.
+If you discover a vulnerability in NemoClaw, **DO NOT open a public issue.**
+Use one of the private reporting channels described in [SECURITY.md](SECURITY.md):
+
+- Submit a report through the [NVIDIA Vulnerability Disclosure Program](https://www.nvidia.com/en-us/security/report-vulnerability/).
+- Send an email to [psirt@nvidia.com](mailto:psirt@nvidia.com) encrypted with the [NVIDIA PGP key](https://www.nvidia.com/en-us/security/pgp-key).
+- Use [GitHub's private vulnerability reporting](https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/configuring-private-vulnerability-reporting-for-a-repository) to submit a report directly on this repository.
+
+For security bulletins and PSIRT policies, visit the [NVIDIA Product Security](https://www.nvidia.com/en-us/security/) portal.
 
 ## License
 
diff --git a/SECURITY.md b/SECURITY.md
index 9dee9356f..daa5ecc0e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,26 +1,58 @@
 <!-- markdownlint-disable MD041 -->
 ## Security
 
-NVIDIA is dedicated to the security and trust of our software products and services, including all source code repositories managed through our organization.
+NVIDIA is dedicated to the security and trust of its software products and services, including all source code repositories managed through our organization.
 
-If you need to report a security issue, please use the appropriate contact points outlined below. **Please do not report security vulnerabilities through GitHub.** If a potential security issue is inadvertently reported via a public issue or pull request, NVIDIA maintainers may limit public discussion and redirect the reporter to the appropriate private disclosure channels.
+If you need to report a security issue, use the appropriate contact points outlined below.
+**DO NOT report security vulnerabilities through public GitHub issues or pull requests.**
+If a potential security issue is inadvertently reported through a public channel, NVIDIA maintainers may limit public discussion and redirect the reporter to the appropriate private disclosure channels.
 
-## Reporting Potential Security Vulnerability in an NVIDIA Product
+## How to Report a Vulnerability
 
-To report a potential security vulnerability in any NVIDIA product:
+Report a potential security vulnerability in NemoClaw or any NVIDIA product through one of the following channels.
 
-- Web: [Security Vulnerability Submission Form](https://www.nvidia.com/object/submit-security-vulnerability.html)
-- E-Mail: <psirt@nvidia.com>
-  - We encourage you to use the following PGP key for secure email communication: [NVIDIA public PGP Key for communication](https://www.nvidia.com/en-us/security/pgp-key)
-  - Please include the following information:
-  - Product/Driver name and version/branch that contains the vulnerability
-  - Type of vulnerability (code execution, denial of service, buffer overflow, etc.)
-  - Instructions to reproduce the vulnerability
-  - Proof-of-concept or exploit code
-  - Potential impact of the vulnerability, including how an attacker could exploit the vulnerability
+### NVIDIA Vulnerability Disclosure Program
 
-While NVIDIA currently does not have a bug bounty program, we do offer acknowledgement when an externally reported security issue is addressed under our coordinated vulnerability disclosure policy. Please visit our [Product Security Incident Response Team (PSIRT)](https://www.nvidia.com/en-us/security/psirt-policies/) policies page for more information.
+Submit a report through the [NVIDIA Vulnerability Disclosure Program](https://www.nvidia.com/en-us/security/report-vulnerability/).
+This is the preferred method for reporting security concerns across all NVIDIA products.
+
+### Email
+
+Send an encrypted email to [psirt@nvidia.com](mailto:psirt@nvidia.com).
+Use the [NVIDIA public PGP key](https://www.nvidia.com/en-us/security/pgp-key) to encrypt the message.
+
+### GitHub Private Vulnerability Reporting
+
+You can use [GitHub's private vulnerability reporting](https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/configure-vulnerability-reporting/configuring-private-vulnerability-reporting-for-a-repository) to submit a report directly on this repository.
+Navigate to the **Security** tab and select **Report a vulnerability**.
+
+## What to Include
+
+Provide as much of the following information as possible:
+
+- Product name and version or branch that contains the vulnerability.
+- Type of vulnerability (code execution, denial of service, buffer overflow, privilege escalation, etc.).
+- Step-by-step instructions to reproduce the vulnerability.
+- Proof-of-concept or exploit code.
+- Potential impact, including how an attacker could exploit the vulnerability.
+
+Detailed reports help NVIDIA evaluate and address issues faster.
+
+## What to Expect
+
+NVIDIA's Product Security Incident Response Team (PSIRT) triages all incoming reports.
+After submission:
+
+1. NVIDIA acknowledges receipt and begins analysis.
+2. NVIDIA validates the report and determines severity.
+3. NVIDIA develops and tests corrective actions.
+4. NVIDIA publishes a security bulletin and releases a fix.
+
+Visit the [PSIRT Policies](https://www.nvidia.com/en-us/security/) page for details on timelines and acknowledgement practices.
+
+While NVIDIA does not currently have a public bug bounty program, we do offer acknowledgement when an externally reported security issue is addressed under our coordinated vulnerability disclosure policy.
 
 ## NVIDIA Product Security
 
-For all security-related concerns, please visit NVIDIA's Product Security portal at <https://www.nvidia.com/en-us/security>
+For security bulletins, PSIRT policies, and all security-related concerns, visit the [NVIDIA Product Security](https://www.nvidia.com/en-us/security/) portal.
+Subscribe to notifications on that page to receive alerts when new bulletins are published.
diff --git a/docs/index.md b/docs/index.md
index eb50dd807..3d6fbb95d 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -264,6 +264,7 @@ Troubleshooting <reference/troubleshooting>
 :caption: Resources
 :hidden:
 
+Report Vulnerabilities <https://github.com/NVIDIA/NemoClaw/blob/main/SECURITY.md>
 resources/license
 Discord <https://discord.gg/XFpfPv9Uvx>
 ```

From 1b04f5788b62ab1d1e09bb6134174cbc10715bff Mon Sep 17 00:00:00 2001
From: Miyoung Choi <miyoungc@nvidia.com>
Date: Mon, 30 Mar 2026 16:45:43 -0700
Subject: [PATCH 2/2] docs: add minor improvement

---
 README.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 4c41a6a99..9f715cc74 100644
--- a/README.md
+++ b/README.md
@@ -135,17 +135,17 @@ For troubleshooting installation or onboarding issues, see the [Troubleshooting
 
 Refer to the following pages on the official documentation website for more information on NemoClaw.
 
-| Type | Link | Description |
-|------|------|-------------|
-| Overview | [Overview](https://docs.nvidia.com/nemoclaw/latest/about/overview.html) | What NemoClaw does and how it fits together. |
-| How It Works | [How It Works](https://docs.nvidia.com/nemoclaw/latest/about/how-it-works.html) | Plugin, blueprint, sandbox lifecycle, and protection layers. |
-| Architecture | [Architecture](https://docs.nvidia.com/nemoclaw/latest/reference/architecture.html) | Plugin structure, blueprint lifecycle, sandbox environment, and host-side state. |
-| Inference | [Inference Profiles](https://docs.nvidia.com/nemoclaw/latest/reference/inference-profiles.html) | Supported providers, validation, and routed inference configuration. |
-| Network Policy | [Network Policies](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html) | Baseline rules, operator approval flow, and egress control. |
-| Customize Policy | [Customize Network Policy](https://docs.nvidia.com/nemoclaw/latest/network-policy/customize-network-policy.html) | Static and dynamic policy changes, presets. |
-| Sandbox Hardening | [Sandbox Hardening](https://docs.nvidia.com/nemoclaw/latest/deployment/sandbox-hardening.html) | Container security measures, capability drops, process limits. |
-| CLI Reference | [CLI Commands](https://docs.nvidia.com/nemoclaw/latest/reference/commands.html) | Full command reference. |
-| Troubleshooting | [Troubleshooting](https://docs.nvidia.com/nemoclaw/latest/reference/troubleshooting.html) | Common issues and resolution steps. |
+| Page | Description |
+|------|-------------|
+| [Overview](https://docs.nvidia.com/nemoclaw/latest/about/overview.html) | What NemoClaw does and how it fits together. |
+| [How It Works](https://docs.nvidia.com/nemoclaw/latest/about/how-it-works.html) | Plugin, blueprint, sandbox lifecycle, and protection layers. |
+| [Architecture](https://docs.nvidia.com/nemoclaw/latest/reference/architecture.html) | Plugin structure, blueprint lifecycle, sandbox environment, and host-side state. |
+| [Inference Profiles](https://docs.nvidia.com/nemoclaw/latest/reference/inference-profiles.html) | Supported providers, validation, and routed inference configuration. |
+| [Network Policies](https://docs.nvidia.com/nemoclaw/latest/reference/network-policies.html) | Baseline rules, operator approval flow, and egress control. |
+| [Customize Network Policy](https://docs.nvidia.com/nemoclaw/latest/network-policy/customize-network-policy.html) | Static and dynamic policy changes, presets. |
+| [Sandbox Hardening](https://docs.nvidia.com/nemoclaw/latest/deployment/sandbox-hardening.html) | Container security measures, capability drops, process limits. |
+| [CLI Commands](https://docs.nvidia.com/nemoclaw/latest/reference/commands.html) | Full NemoClaw CLI command reference. |
+| [Troubleshooting](https://docs.nvidia.com/nemoclaw/latest/reference/troubleshooting.html) | Common issues and resolution steps. |
 
 ## Project Structure