summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2020-12-03 14:18:51 +0100
committerDaniel Stenberg <daniel@haxx.se>2020-12-03 14:22:56 +0100
commit939485208b9576dcf62dae2e27d64911c5d3946b (patch)
tree8edf7e838f16b51e61481beeb95eb23c706ec968
parent41b3b830f118197a4b4988f425902493f4f85de8 (diff)
downloadcurl-bagder/sec-proc-hackerone.tar.gz
SECURITY-PROCESS: disclose on hackerone [skip ci]bagder/secproc-hackeronebagder/sec-proc-hackerone
Once a vulnerability has been published, the hackerone issue should be disclosed. For tranparency.
-rw-r--r--docs/SECURITY-PROCESS.md8
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index c77ff1778..a5d487adf 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -125,6 +125,14 @@ Publishing Security Advisories
6. On security advisory release day, push the changes on the curl-www
repository's remote master branch.
+Hackerone
+---------
+
+Request the issue to be disclosed. If there are sensitive details present in
+the report and discussion, those should be redacted from the disclosure. The
+default policy is to disclose as much as possible as soon as the vulnerability
+has been published.
+
Bug Bounty
----------