From 53374e39efd16ce54f2e76e1b74d9891935a5882 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 9 Sep 2021 14:46:38 +0200 Subject: docs: the security list is reached at security at curl.se now Also update the FAQ section a bit to encourage users to rather submit security issues on hackerone than sending email. --- docs/FAQ | 12 ++++++++---- docs/SECURITY-PROCESS.md | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/FAQ b/docs/FAQ index d678e9e3a..43b57045d 100644 --- a/docs/FAQ +++ b/docs/FAQ @@ -288,10 +288,14 @@ FAQ from having to repeat ourselves even more. Thanks for respecting this. If you have found or simply suspect a security problem in curl or libcurl, - mail curl-security at haxx.se (closed list of receivers, mails are not - disclosed) and tell. Then we can produce a fix in a timely manner before the - flaw is announced to the world, thus lessen the impact the problem will have - on existing users. + submit all the details at https://hackerone.one/curl. On there we keep the + issue private while we investigate, confirm it, work and validate a fix and + agree on a time schedule for publication etc. That way we produce a fix in a + timely manner before the flaw is announced to the world, reducing the impact + the problem risk having on existing users. + + Security issues can also be taking to the curl security team by emailing + security at curl.se (closed list of receivers, mails are not disclosed). 1.9 Where do I buy commercial support for curl? diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md index a5d487adf..e4bccb263 100644 --- a/docs/SECURITY-PROCESS.md +++ b/docs/SECURITY-PROCESS.md @@ -91,7 +91,7 @@ announcement. - The security web page on the website should get the new vulnerability mentioned. -curl-security (at haxx dot se) +security (at curl dot se) ------------------------------ This is a private mailing list for discussions on and about curl security -- cgit v1.2.1