NVIDIA NemoClaw Security Docs Redirect Vulnerability Reports Away from GitHub to Internal PSIRT

NVIDIA has quietly updated the security reporting instructions for its NemoClaw project, removing guidance to use GitHub's built-in private vulnerability reporting feature. The official `SECURITY.md` file now explicitly states that the 'Report a vulnerability' button is not available on the repository's Security tab, a critical admission for a major AI project. Instead, all vulnerability reports for NemoClaw must be sent directly to NVIDIA's internal Product Security Incident Response Team (PSIRT) via the company's formal Vulnerability Disclosure Program or a dedicated email address.

This documentation change, classified as 'Doc only,' redirects external security researchers away from a transparent, platform-managed reporting flow on GitHub. The move centralizes vulnerability intake through NVIDIA's own channels, specifically `[email protected]`. The update clarifies that the previous unconditional instructions to use GitHub's system were incorrect, as the feature is not enabled for this repository, potentially leaving reports in limbo or undisclosed.

The shift raises questions about vulnerability management transparency for key AI frameworks. By funneling reports through a corporate email and program, NVIDIA gains full control over the disclosure timeline and public visibility of security flaws in NemoClaw. This practice is standard for large corporations but places the onus on external researchers to navigate a proprietary process, contrasting with the streamlined, auditable reporting GitHub's system can provide. The change signals a tightening of external security communication for a project critical to the company's AI software stack.