SECURITY-PROCESS: disclose on hackerone

Once a vulnerability has been published, the hackerone issue should be disclosed. For tranparency. Closes #6275
author: Daniel Stenberg <daniel@haxx.se> 2020-12-03 14:18:51 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2020-12-03 22:29:34 +0100
commit: 6703eb2f4cd3cd0cf008e5103e2ec7aa85eabedc (patch)
tree: 162581b83d395355bf2b05040f7192e8cd4a2231
parent: 753a2c758aafcf3220367436e0244bd090806d2d (diff)
download: curl-6703eb2f4cd3cd0cf008e5103e2ec7aa85eabedc.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index c77ff1778..a5d487adf 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -125,6 +125,14 @@ Publishing Security Advisories
 6. On security advisory release day, push the changes on the curl-www
    repository's remote master branch.
 
+Hackerone
+---------
+
+Request the issue to be disclosed. If there are sensitive details present in
+the report and discussion, those should be redacted from the disclosure. The
+default policy is to disclose as much as possible as soon as the vulnerability
+has been published.
+
 Bug Bounty
 ----------
author	Daniel Stenberg <daniel@haxx.se>	2020-12-03 14:18:51 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2020-12-03 22:29:34 +0100
commit	6703eb2f4cd3cd0cf008e5103e2ec7aa85eabedc (patch)
tree	162581b83d395355bf2b05040f7192e8cd4a2231
parent	753a2c758aafcf3220367436e0244bd090806d2d (diff)
download	curl-6703eb2f4cd3cd0cf008e5103e2ec7aa85eabedc.tar.gz