This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 7bb9035 feat(gmail/asf-relay): clickable external-ref URL +
paste-ready reporter block (#375)
7bb9035 is described below
commit 7bb90358463d5b9d81463ee1ad22d9f0245ecf1b
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sat May 30 00:42:22 2026 +0200
feat(gmail/asf-relay): clickable external-ref URL + paste-ready reporter
block (#375)
Two refinements to the asf-relay drafting shape, both per direct
feedback from Arnout Engelen (ASF Security, @raboof) on a
CVE-allocation relay sent for GHSA-2vgv-x9xr-7gfj / CVE-2026-49296,
2026-05-30:
1. Include the clickable external-reference URL (full GHSA / HackerOne
URL, not just the ID) on its own line near the top of the body.
The CVE-record URL goes on its own line too when the message
carries a CVE allocation. Saves the forwarder a re-lookup step.
2. Any text destined for the external reporter via the forwarder
goes as a ready-to-paste block in the reporter's voice —
addressed to the reporter, signed by the project, inside a
fenced block. Replaces the third-person "could you please pass
to <reporter> that …" framing, which forced the forwarder to
compose the actual reporter-facing text themselves and gave the
project no control over the final wording the reporter saw.
Applies to every relay message that carries reporter-facing
content: receipt of confirmation, credit-preference question,
CVE-allocation notification, status update, release-shipped
notification, advisory-published notification.
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
tools/gmail/asf-relay.md | 81 +++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 76 insertions(+), 5 deletions(-)
diff --git a/tools/gmail/asf-relay.md b/tools/gmail/asf-relay.md
index 81fee2b..c018d91 100644
--- a/tools/gmail/asf-relay.md
+++ b/tools/gmail/asf-relay.md
@@ -75,11 +75,82 @@ Placeholder convention:
context"* rule in [`../../AGENTS.md`](../../AGENTS.md). The ASF
security team knows the handling process; do **not** restate the
vulnerability, the severity analysis, or the project's CVE
- process. Link to the external reference (GHSA ID, HackerOne report
- URL) rather than repeating technical detail. When the purpose of
- the draft is a credit-preference relay, the ask is one sentence:
- *"Please forward the credit-preference question below to the
- external reporter through the original channel."*
+ process. When the purpose of the draft is a credit-preference
+ relay, the ask is one sentence: *"Please forward the
+ credit-preference question below to the external reporter through
+ the original channel."*
+
+- **Include the clickable external-reference URL in the body, not
+ just the ID.** The forwarder receives many relays; making them
+ re-look-up the ID to forward our reply is friction. Put the full
+ URL on its own line near the top of the body so it is one click
+ reachable:
+
+ - GHSA:
`https://github.com/<org>/<repo>/security/advisories/GHSA-NNNN-NNNN-NNNN`
+ - HackerOne: the report URL the forwarder originally shared
+ - Any other channel: the canonical URL for the report
+
+ The CVE-record URL (`https://www.cve.org/CVERecord?id=<CVE-ID>`
+ or the adopting project's CVE-tool URL) goes on its own line too
+ when the message includes a CVE allocation.
+
+- **Reporter-facing content goes as a ready-to-paste block, not as
+ a third-person ask.** Any text destined for the external reporter
+ via the forwarder MUST be drafted as the actual reporter-facing
+ message, addressed to the reporter and signed by the project,
+ inside a fenced block the forwarder can copy verbatim into their
+ reply to the reporter.
+
+ ❌ Third-person framing forces the forwarder to compose the
+ reporter-facing text themselves:
+
+ ```text
+ Could you please pass to Matteo that CVE was allocated for
+ GHSA-2vgv-x9xr-7gfj: CVE-2026-49296. Thanks.
+ ```
+
+ ✓ Paste-ready block in the reporter's voice:
+
+ ```text
+ Hi <forwarder>,
+
+ GHSA: https://github.com/<org>/<repo>/security/advisories/<GHSA-ID>
+ CVE: https://www.cve.org/CVERecord?id=<CVE-ID>
+
+ Please forward the following to the external reporter:
+
+ ---
+ Hello <reporter first-name>,
+
+ Thanks again for your report. We have allocated <CVE-ID> for
+ the issue and the fix is being prepared. Please keep this issue
+ private until it has been publicly disclosed.
+
+ Best,
+ <project> security team
+ ---
+
+ Thanks,
+ <sender>
+ ```
+
+ **Why both rules together.** The clickable URL gives the
+ forwarder one-click context on their side; the paste-ready block
+ gives them zero-edit-required content for their reply. Together
+ they reduce the relay round-trip to a single forward-and-paste
+ action on the forwarder's side and let the project control the
+ reporter-facing wording (credit framing, embargo wording,
+ disclosure-timeline language).
+
+ Apply this shape to every relay message that carries content
+ intended to reach the external reporter — receipt of
+ confirmation, credit-preference question, CVE-allocation
+ notification, status update, release-shipped notification,
+ advisory-published notification.
+
+ **Source:** Arnout Engelen (`@raboof`, `[email protected]`,
+ ASF Security) feedback on a CVE-allocation relay sent for
+ `GHSA-2vgv-x9xr-7gfj` / `CVE-2026-49296`, 2026-05-30.
## How the skills detect relay cases
