SECURITY-PROCESS: disclose on hackerone [skip ci]bagder/secproc-hackerone bagder/sec-proc-hackerone

Once a vulnerability has been published, the hackerone issue should be disclosed. For tranparency.
author: Daniel Stenberg <daniel@haxx.se> 2020-12-03 14:18:51 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2020-12-03 14:22:56 +0100
commit: 939485208b9576dcf62dae2e27d64911c5d3946b (patch)
tree: 8edf7e838f16b51e61481beeb95eb23c706ec968
parent: 41b3b830f118197a4b4988f425902493f4f85de8 (diff)
download: curl-bagder/sec-proc-hackerone.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index c77ff1778..a5d487adf 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -125,6 +125,14 @@ Publishing Security Advisories
 6. On security advisory release day, push the changes on the curl-www
    repository's remote master branch.
 
+Hackerone
+---------
+
+Request the issue to be disclosed. If there are sensitive details present in
+the report and discussion, those should be redacted from the disclosure. The
+default policy is to disclose as much as possible as soon as the vulnerability
+has been published.
+
 Bug Bounty
 ----------
author	Daniel Stenberg <daniel@haxx.se>	2020-12-03 14:18:51 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2020-12-03 14:22:56 +0100
commit	939485208b9576dcf62dae2e27d64911c5d3946b (patch)
tree	8edf7e838f16b51e61481beeb95eb23c706ec968
parent	41b3b830f118197a4b4988f425902493f4f85de8 (diff)
download	curl-bagder/sec-proc-hackerone.tar.gz