chore(agents): defines a new AGENTS.md focused on reporting vulnerabilities

[lukaszlenart]

No description provided.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[ppkarwasz]

Hi @lukaszlenart,

This looks good, but shouldn't CLAUDE.md and AGENTS.md be merged? As far as I know both are read by Claude, but the latter name is more vendor-neutral.

It might also be useful to expand the instruction for PRs and ask the agent to first check if the PR solves some security issue. If that is the case the PR should not be submitted, but the issue should be reported.

[sepe81]

Hello @lukaszlenart,

One suggestion: the pre-reporting steps, assessment checklist, and report requirements would also be useful to human researchers, not only AI agents. SECURITY.md could be a better place for this content — GitHub shows it on the Security tab and it would help anyone, with or without AI tooling. It would also avoid the same guidance living in two files that could go out of sync.

If the content moves to SECURITY.md, the question is whether AGENTS.md is still needed. It could be dropped entirely, or replaced with a soft-link to CLAUDE.md, which the project already has for AI assistants.

For Claude Code specifically, a .claude/agents/vulnerability-reporter.md subagent (the project already has several in .claude/agents/) could fetch SECURITY.md and the security bulletins at runtime and guide a researcher through the checklist interactively — more useful than a static file.

Proposed structure:

• SECURITY.md — gets all the pre-reporting guidance; one source of truth
• AGENTS.md — dropped, or a soft-link to CLAUDE.md
• .claude/agents/vulnerability-reporter.md — interactive Claude Code agent