Enable PVR for all repos in an org (#34219)

Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Anne-Marie  <102995847+am-stead@users.noreply.github.com>

content/code-security/guides.md

@@ -53,6 +53,7 @@ includeGuides:
   - /code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/migrating-from-the-codeql-runner-to-codeql-cli
   - /code-security/repository-security-advisories/about-github-security-advisories-for-repositories
   - /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
+  - /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization
   - /code-security/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
   - /code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability
   - /code-security/repository-security-advisories/creating-a-repository-security-advisory

content/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository.md

@@ -10,7 +10,7 @@ miniTocMaxHeadingLevel: 3
 topics:
   - Security advisories
   - Vulnerabilities
-shortTitle: Configure private vulnerability reporting
+shortTitle: Configure for a repository
 ---
 
 {% data reusables.security-advisory.private-vulnerability-reporting-beta %}
@@ -22,12 +22,9 @@ Security researchers often feel responsible for alerting users to a vulnerabilit
 {% data reusables.security-advisory.private-vulnerability-reporting-overview %}
 
 For maintainers, the benefits of using private vulnerability reporting are: 
-- Less risk of being contacted publicly, or via undesired means.
+{% data reusables.security-advisory.private-vulnerability-reporting-benefits %}
-- Receive reports in the same platform you resolve them in for simplicity
+
-- The security researcher creates or at least initiates the advisory report on the behalf of maintainers.
+The instructions in this article refer to enablement at repository level. For information about enabling the feature at organization level, see "[Configuring private vulnerability reporting for an organization](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization)."
-- Maintainers receive reports in the same platform as the one used to discuss and resolve the advisories.
-- Vulnerability less likely to be in the public eye.
-- The opportunity to discuss vulnerability details privately with security researchers and collaborate on the patch.
 
 ## Enabling or disabling private vulnerability reporting for a repository
 
@@ -36,9 +33,6 @@ For maintainers, the benefits of using private vulnerability reporting are:
 {% data reusables.repositories.navigate-to-code-security-and-analysis %}
 1. Under "Code security and analysis", to the right of "Private vulnerability reporting", click **Enable** or **Disable**, to enable or disable the feature, respectively.
 
- ![Screenshot of the "Code security and analysis" page with the "Enable" button emphasized for private vulnerability reporting](/assets/images/help/security/private-vulnerability-reporting-enable-or-disable.png)
+ ![Screenshot of the "Code security and analysis" page with the "Enable" button emphasized for private vulnerability reporting](/assets/images/help/security/private-vulnerability-reporting-enable-or-disable-repo.png)
-
-When a maintainer enables private security reporting for their repository, security researchers will see a new button in the **Advisories** page of the repository. The security researcher can click this button to privately report a security vulnerability to the repository maintainer. 
-
- ![Screenshot showing the "Report a vulnerability" button](/assets/images/help/security/report-a-vulnerability-button.png)
 
+{% data reusables.security-advisory.private-vulnerability-reporting-security-researcher %}

content/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization.md

@@ -0,0 +1,50 @@
+---
+title: Configuring private vulnerability reporting for an organization
+intro: Organization owners and security managers can allow security researchers to report vulnerabilities securely in repositories within the organization by enabling private vulnerability reporting for all its public repositories.
+permissions: 'Anyone with admin permissions to an organization, or with a security manager role within the organization, can enable and disable private vulnerability reporting for that organization.'
+versions:
+  fpt: '*'
+  ghec: '*'
+type: how_to
+miniTocMaxHeadingLevel: 3
+topics:
+  - Security advisories
+  - Vulnerabilities
+shortTitle: Configure for an organization
+---
+
+{% data reusables.security-advisory.private-vulnerability-reporting-beta %}
+
+## About privately reporting a security vulnerability
+
+Security researchers often feel responsible for alerting users to a vulnerability that could be exploited. If there are no clear instructions about contacting maintainers of the repository containing the vulnerability, security researchers may have no other choice but to post about the vulnerability on social media, send direct messages to the maintainer, or even create public issues. This situation can potentially lead to a public disclosure of the vulnerability details.
+
+{% data reusables.security-advisory.private-vulnerability-reporting-overview %}
+
+For organization owners and security managers, the benefits of using private vulnerability reporting are: 
+{% data reusables.security-advisory.private-vulnerability-reporting-benefits %}
+
+The instructions below refer to enablement at organization level. For information about enabling the feature for a repository, see "[Configuring private vulnerability reporting for a repository](/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository)."
+
+## Enabling or disabling private vulnerability reporting for all the existing public repositories in an organization
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.security-and-analysis %}
+1. Under "Code security and analysis", to the right of "Private vulnerability reporting", click **Enable all** or **Disable all**, to enable or disable the feature for all the public repositories within the organization, respectively.
+
+ ![Screenshot of the "Code security and analysis" page with the "Disable all" and the "Enable all" button emphasized for private vulnerability reporting](/assets/images/help/security/private-vulnerability-reporting-enable-or-disable-org.png)
+
+## Enabling or disabling private vulnerability reporting for new public repositories added to the organization
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+{% data reusables.organizations.security-and-analysis %}
+1. Under "Code security and analysis", to the right of the feature, click **Automatically enable for new public repositories**.
+
+ ![Screenshot of the "Code security and analysis" page with the "Automatically enable for new public repositories" checkbox emphasized for private vulnerability reporting](/assets/images/help/security/private-vulnerability-reporting-enable-or-disable-org-new-repos.png)
+
+1. To the right of "Private vulnerability reporting", click **Enable all** or **Disable all**, to enable or disable the feature for all new public repositories that will be added to the organization, respectively.
+
+## What having private vulnerability reporting enabled for a repository looks like for a security researcher
+
+{% data reusables.security-advisory.private-vulnerability-reporting-security-researcher %}

content/code-security/security-advisories/repository-security-advisories/index.md

@@ -18,6 +18,7 @@ children:
   - /about-repository-security-advisories
   - /permission-levels-for-repository-security-advisories
   - /configuring-private-vulnerability-reporting-for-a-repository
+  - /configuring-private-vulnerability-reporting-for-an-organization
   - /creating-a-repository-security-advisory
   - /editing-a-repository-security-advisory
   - /collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability

content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization.md

@@ -43,6 +43,7 @@ The page that's displayed allows you to enable or disable all security and analy
 You can enable or disable features for all repositories. 
 {% ifversion fpt or ghec %}The impact of your changes on repositories in your organization is determined by their visibility:
 
+- **Private vulnerability reporting** - Your changes affect public repositories only.
 - **Dependency graph** - Your changes affect only private repositories because the feature is always enabled for public repositories.
 - **{% data variables.product.prodname_dependabot_alerts %}** - Your changes affect all repositories.
 - **{% data variables.product.prodname_dependabot_security_updates %}** - Your changes affect all repositories.

data/learning-tracks/code-security.yml

@@ -12,6 +12,7 @@ security_advisories:
     - /code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
     - /code-security/security-advisories/guidance-on-reporting-and-writing/managing-privately-reported-security-vulnerabilities
     - /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
+    - /code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization
     - /code-security/security-advisories/repository-security-advisories/creating-a-repository-security-advisory
     - /code-security/security-advisories/repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory
     - /code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability

data/reusables/security-advisory/private-vulnerability-reporting-benefits.md

@@ -0,0 +1,6 @@
+- Less risk of being contacted publicly, or via undesired means.
+- Receive reports in the same platform you resolve them in for simplicity
+- The security researcher creates or at least initiates the advisory report on the behalf of maintainers.
+- Maintainers receive reports in the same platform as the one used to discuss and resolve the advisories.
+- Vulnerability less likely to be in the public eye.
+- The opportunity to discuss vulnerability details privately with security researchers and collaborate on the patch.

data/reusables/security-advisory/private-vulnerability-reporting-security-researcher.md

@@ -0,0 +1,3 @@
+When private vulnerability reporting is enabled for a repository, security researchers will see a new button in the **Advisories** page of the repository. The security researcher can click this button to privately report a security vulnerability to the repository maintainer. 
+
+ ![Screenshot showing the "Report a vulnerability" button for a repository where private vulnerability reporting has been enabled](/assets/images/help/security/report-a-vulnerability-button.png)