Update HackerOne links in SECURITY.md#1268
Conversation
🏠 Remote-Dev: homespace
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
No issues with the diff itself, but since the new submission link uses an opaque HackerOne embedded-form UUID, it'd be worth a quick human confirmation that this UUID points to Anthropic's program before merging.
Extended reasoning...
Overview
This PR updates two URLs in SECURITY.md: the HackerOne vulnerability submission form link (now pointing to a UUID-based embedded submission form) and the program page link (anthropic-vdp → anthropic). It is a documentation-only change with no code impact.
Security risks
There is no code execution or build risk. However, SECURITY.md is the canonical pointer for where researchers send vulnerability reports. Both new URLs remain on the hackerone.com domain, so this isn't a phishing redirect. The hackerone.com/anthropic program page is publicly verifiable. The embedded submission form URL (4f1f16ba-10d3-...), though, is an opaque identifier — I can't confirm from the diff alone that it routes to Anthropic's program rather than some other org's intake form. A wrong UUID here would silently misdirect vulnerability reports.
Level of scrutiny
Low complexity, but the correctness of the UUID is an out-of-band fact that can't be validated by reading the repo. That makes it a one-glance human check rather than something I should rubber-stamp.
Other factors
No bugs were flagged by the bug-hunting system, no prior review comments, and the change is otherwise trivial. Deferring solely so a maintainer can confirm the embedded-form UUID is the intended one.
🏠 Remote-Dev: homespace
There was a problem hiding this comment.
LGTM — straightforward doc update to SECURITY.md links and heading.
Extended reasoning...
Overview
This PR updates SECURITY.md only: it swaps the HackerOne submission form URL to an embedded-submissions link, updates the program page URL from hackerone.com/anthropic-vdp to hackerone.com/anthropic, and renames the "Vulnerability Disclosure Program" heading to "Anthropic Bug Bounty". No code, config, or workflow files are touched.
Security risks
None from a code-execution standpoint — this is pure documentation. The links point to the hackerone.com domain, so there's no risk of redirecting researchers to a malicious destination. The only conceivable concern is link correctness (e.g., the embedded-submission UUID), but that's a content/ownership matter for the author and not something static review can validate.
Level of scrutiny
Low. This is a markdown-only change with no effect on the action's runtime behavior, build, or release artifacts. It matches the recent commit history (Rename VDP heading to Anthropic Bug Bounty, Update HackerOne links in SECURITY.md), indicating it's an intentional, coordinated update.
Other factors
The bug-hunting system found no issues, the PR timeline has no outstanding reviewer comments, and the diff is small and self-contained. Approving.
2 participants
Updates the HackerOne submission form and program page links.