jmagly/security-disclosure-track
agentic/code/frameworks/security-engineering/skills/security-disclosure-track/SKILL.md
Track private vulnerability reports from triage through fix, CVE coordination, embargo, publication, and post-disclosure closure
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg security-disclosure-trackInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 24, 2026, 6:20 AM87.6s2 files scanned
SKILL.md
- namespace:
- aiwg
- name:
- security-disclosure-track
- platforms:
- [all]
- description:
- Track private vulnerability reports from triage through fix, CVE coordination, embargo, publication, and post-disclosure closure
- - case-record:
- .aiwg/security-engineering/reviews/disclosures/<case-id>.md
- - private-channel:
- configured advisory, private issue, encrypted email, or encrypted form
- - custody-log:
- every transition records actor, timestamp, evidence, and next deadline
- - disclosure-plan:
- coordinated-disclosure dates and publication checklist
- - public-channel:
- refuses to publish private report details to public tracker channels before disclosure
- entrypoint:
- scripts/track.mjs
- runtime:
- node
- cwd:
- project-root
- argsHint:
- <case-id> [--stage triage|fix|cve|publish|close] [--evidence <text>] [--decision <text>] [--next-deadline <date>] [--embargo-days N]
- argumentHint:
- <case-id> [--stage triage|fix|cve|publish|close] [--embargo-days N]
- allowedTools:
- Read, Write, Bash
- model:
- sonnet
- category:
- security
- orchestration:
- true
Security Disclosure Track
Manage the advisory lifecycle after security-report intake. This is the closure-loop companion for private vulnerability disclosure and completes curl Practice 27 coverage.
Stages
- Triage: validate scope, severity, affected versions, reproduction, reporter contact, and embargo clock.
- Fix: create private implementation plan; avoid public issue leakage; record commits/patches by hash.
- CVE: determine whether CVE assignment is needed; record CNA/contact path.
- Publication: prepare advisory, patched versions, acknowledgements, and release notes.
- Close: confirm disclosure complete, custody record finalized, public advisory linked.
Custody Record
Records live under .aiwg/security-engineering/reviews/disclosures/ and are ignored by default. Each transition appends timestamp, actor, evidence, decision, and next deadline.
References
agentic/code/frameworks/security-engineering/skills/security-report/SKILL.mdagentic/code/frameworks/security-engineering/templates/SECURITY.md
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026