Security-Vulnerabilities: Update with additional info

gtjoseph · gtjoseph · commit 9949c6d9aca4 · 2026-03-19T08:34:12.000-06:00
diff --git a/docs/About-the-Project/Asterisk-Security-Vulnerabilities.md b/docs/About-the-Project/Asterisk-Security-Vulnerabilities.md
@@ -1,45 +1,49 @@
----
-title: Asterisk Security Vulnerabilities
-pageid: 27199866
----
+
+# Asterisk Security Vulnerabilities
 
 The Asterisk project takes the issue of its users security seriously. If you believe you have found a security vulnerability in the Asterisk software itself, please follow the steps on this wiki page to report the security vulnerability to the Asterisk Development Team.
 
-!!! note 
-    The Asterisk project does not produce or work on the underlying tools the project uses, such as Github. For security vulnerabilities found in these the report should be directed to the company or project that creates it. We *will* however accept reports related to the configuration of those tools.
+/// note 
+The Asterisk project does not produce or work on the underlying tools the project uses, such as Github. For security vulnerabilities found in these the report should be directed to the company or project that creates it. We *will* however accept reports related to the configuration of those tools.
+///
 
-[//]: # (end-note)
+## What Can Be Reported?
 
-!!! warning
+1. Issues relating to the Asterisk source code or usage.
+2. Issues in the configuration of a tool the Asterisk project uses.
 
-    The Issue Tracker is Public!
-    The [Asterisk Issue Tracker](https://github.com/asterisk/asterisk/issues) is a public site, and all bug reports against Asterisk can be viewed openly by the public. While this results in a transparent, open process - which is good - reporting a security vulnerability on the issue tracker without properly selecting "[Report a vulnerability](https://github.com/asterisk/asterisk/security/advisories/new)" on the [New Issue page](https://github.com/asterisk/asterisk/issues/new/choose) makes the entire Asterisk user community vulnerable.
+## Reporting a Security Vulnerability
 
-    Reporting a vulnerability will automatically restrict who can view the information.
+All security vulnerabilities must be reported via the Asterisk GitHub project repository using the
+"[Report a vulnerability](https://github.com/asterisk/asterisk/security/advisories/new)" button under the repository's "[Security](https://github.com/asterisk/asterisk/security)" tab.
+This method restricts the report to the reporter and Asterisk staff.
 
-[//]: # (end-warning)
+/// warning | Do NOT use the public Issue Tracker!
+The [Asterisk Issue Tracker](https://github.com/asterisk/asterisk/issues) is a public site, and all bug reports against Asterisk can be viewed openly by the public. While this results in a transparent, open process - which is good - reporting a security vulnerability on the issue tracker without properly selecting "[Report a vulnerability](https://github.com/asterisk/asterisk/security/advisories/new)" makes the report immediately public and makes the entire Asterisk user community vulnerable.
+///
 
-What Can Be Reported?
-=====================
+#### Do NOT use the "Start a temporary private fork" security advisory feature! 
 
-1. Issues relating to the Asterisk source code or usage.
-2. Issues in the configuration of a tool the Asterisk project uses.
-
-Reporting a Security Vulnerability
-==================================
+Private forks created from security advisories are severly limited by GitHub
+and cannot run the workflows necessary for validation and testing. Once a security
+advisory is accepted, reporters will be given instructions on how to submit or test
+a fix pull request.
 
-All security vulnerabilities should be reported on the GitHub project. **You must use the "[Report a vulnerability](https://github.com/asterisk/asterisk/security/advisories/new)" option on the [New Issue page](https://github.com/asterisk/asterisk/issues/new/choose) or the information will be publicly disclosed.**
+## Release scheduling
 
 Security vulnerabilities are treated seriously by the developer community, and the Asterisk Development Team always attempts to address vulnerabilities in a timely fashion. Sometimes, external influences may impact when a security release can be made; feel free to comment on the security vulnerability to discuss the schedule for a security release for your issue.
 
-Past Security Vulnerabilities
-=============================
+## Past Security Vulnerabilities
+
+Past security vulnerability reports are available in several places...
 
-Past security vulnerability reports are available on the [asterisk.org web site](http://www.asterisk.org/downloads/security-advisories) and on the [Asterisk downloads](http://downloads.asterisk.org/pub/security/) site.
+* On the [asterisk.org web site](http://www.asterisk.org/downloads/security-advisories)
+* On the projects GitHub repository unser the "[Security](https://github.com/asterisk/asterisk/security)" tab.
+  (reports for 2023 and later).
+* On the [Asterisk downloads](http://downloads.asterisk.org/pub/security/) site. (reports for 2022 and earlier)
 
 All security vulnerabilities are also issued a CVE number and can be queried in the [CVE](http://cve.mitre.org/) database.
 
-Rewards
-=======
+## Rewards
 
 The Asterisk project does not provide rewards for the submission of security vulnerabilities. Recognition is provided for Asterisk code security vulnerabilities by being named as part of the release notes and security advisory. For security vulnerabilities in infrastructure or non-Asterisk code recognition is not guaranteed and is determined on a case by case basis.
