Opened 23 months ago
Closed 21 months ago
#57937 closed defect (bug) (fixed)
Sync the SECURITY.md file with our HackerOne policy
Reported by: | desrosj | Owned by: | peterwilsoncc |
---|---|---|---|
Milestone: | 6.2.1 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | has-patch fixed-major |
Focuses: | Cc: |
Description
The SECURITY.md
file has fallen out of sync with the policy outlined on the project's HackerOne profile.
The file in Core should be updated to match the policy listed there.
Change History (14)
#1
@
23 months ago
- Summary changed from Update the SECURITY.md file to Sync the SECURITY.md file with our HackerOne policy
This ticket was mentioned in PR #4241 on WordPress/wordpress-develop by @desrosj.
23 months ago
#2
#3
@
23 months ago
- Keywords commit added
Patch: https://github.com/WordPress/wordpress-develop/pull/4241
@desrosj the changes now match HackerOne's Policy page content. Marking for commit.
@peterwilsoncc commented on PR #4241:
23 months ago
#4
Just so you're aware when committing these changes, grunt patch
doesn't work with SECURITY.md
so you'll need to do something like patch -p0 < ${gh pr diff 4241 --repo=WordPress/wordpress-develop}
to get this in to your commit checkout. (Unless I've messed up and it's -p1
.)
#5
follow-up:
↓ 7
@
23 months ago
To follow the KISS principle, it might be easier to link to H1 rather than attempt to maintain multiple sources of truth.
I'd suggest:
- supported versions
- targets
### Full policy The full security policy for WordPress, WordPress.org and other WordPress foundation products can be found on the [https://hackerone.com/wordpress](WordPress HackerOne program page). Security issues must be submitted via HackerOne and it recommended you read the full policy document before submitting your report.
#6
@
22 months ago
- Keywords dev-feedback added
Adding dev-feedback
to draw attention to this comment.
#7
in reply to:
↑ 5
@
21 months ago
- Keywords commit dev-feedback removed
Replying to peterwilsoncc:
To follow the KISS principle, it might be easier to link to H1 rather than attempt to maintain multiple sources of truth.
I think this is a fine path to take, though I'd probably include something about responsible disclosure.
### Full policy WordPress is an open-source publishing platform. The WordPress Security Team believes in Responsible Disclosure by alerting the security team immediately and privately of any potential vulnerabilities. Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure. The full security policy and the full list of covered projects and infrastructure can be found on the [https://hackerone.com/wordpress](WordPress HackerOne program page). Security issues must be submitted via HackerOne and it recommended you read the full policy document before submitting your report.
I'll update the pull request accordingly to reflect this.
#8
@
21 months ago
One question I'd like to make sure we know the answer of. Is there any benefit on GitHub that we'd lose by truncating our SECURITY.md
file? For example, does GH parse certain sections and list it anywhere for easy reference?
#9
@
21 months ago
It looks like GitHub simply lists it in full at https://github.com/WordPress/wordpress-develop/security/
@desrosj You will need to view in a private window as you're an administrator of the wordpress-develop repository.
#10
@
21 months ago
- Owner set to peterwilsoncc
- Resolution set to fixed
- Status changed from new to closed
In 55670:
@peterwilsoncc commented on PR #4241:
21 months ago
#11
#12
@
21 months ago
- Keywords fixed-major added
- Resolution fixed deleted
- Status changed from closed to reopened
Reopening for backport, maybe.
This is milestoned for 6.2.1 but I am not sure if it will need to be backported.
The security tab and the link in the sidebar of a GitHub repository always link to the default branch's copy of the file.
SECURITY.md
in the file list opens the copy for the branch/tag the vistor is currently viewing. It may be handy to have an up-to-date copy of the policy in the 6.2 branch and future tags.
Trac ticket: https://core.trac.wordpress.org/ticket/57937