Make WordPress Core

#57937 closed defect (bug) (fixed)

Sync the SECURITY.md file with our HackerOne policy

Reported by: desrosj's profile desrosj Owned by: peterwilsoncc's profile peterwilsoncc
Milestone: 6.2.1 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch fixed-major
Focuses: Cc:

Description

The SECURITY.md file has fallen out of sync with the policy outlined on the project's HackerOne profile.

The file in Core should be updated to match the policy listed there.

Change History (14)

#1 @desrosj
16 months ago

  • Summary changed from Update the SECURITY.md file to Sync the SECURITY.md file with our HackerOne policy

#3 @hellofromTonya
16 months ago

  • Keywords commit added

Patch: https://github.com/WordPress/wordpress-develop/pull/4241

@desrosj the changes now match HackerOne's Policy page content. Marking for commit.

@peterwilsoncc commented on PR #4241:


16 months ago
#4

Just so you're aware when committing these changes, grunt patch doesn't work with SECURITY.md so you'll need to do something like patch -p0 < ${gh pr diff 4241 --repo=WordPress/wordpress-develop} to get this in to your commit checkout. (Unless I've messed up and it's -p1.)

#5 follow-up: @peterwilsoncc
16 months ago

To follow the KISS principle, it might be easier to link to H1 rather than attempt to maintain multiple sources of truth.

I'd suggest:

  • supported versions
  • targets
### Full policy

The full security policy for WordPress, WordPress.org and other WordPress foundation products
can be found on the [https://hackerone.com/wordpress](WordPress HackerOne program page).

Security issues must be submitted via HackerOne and it recommended you read the full policy
document before submitting your report.

#6 @costdev
16 months ago

  • Keywords dev-feedback added

Adding dev-feedback to draw attention to this comment.

#7 in reply to: ↑ 5 @desrosj
15 months ago

  • Keywords commit dev-feedback removed

Replying to peterwilsoncc:

To follow the KISS principle, it might be easier to link to H1 rather than attempt to maintain multiple sources of truth.

I think this is a fine path to take, though I'd probably include something about responsible disclosure.

### Full policy

WordPress is an open-source publishing platform. The WordPress Security Team believes in Responsible Disclosure by alerting the security team immediately and privately of any potential vulnerabilities.

Our HackerOne program covers the Core software, as well as a variety of related projects and infrastructure. 

The full security policy and the full list of covered projects and infrastructure can be found on the [https://hackerone.com/wordpress](WordPress HackerOne program page).

Security issues must be submitted via HackerOne and it recommended you read the full policy
document before submitting your report.

I'll update the pull request accordingly to reflect this.

#8 @desrosj
15 months ago

One question I'd like to make sure we know the answer of. Is there any benefit on GitHub that we'd lose by truncating our SECURITY.md file? For example, does GH parse certain sections and list it anywhere for easy reference?

#9 @peterwilsoncc
15 months ago

It looks like GitHub simply lists it in full at https://github.com/WordPress/wordpress-develop/security/

@desrosj You will need to view in a private window as you're an administrator of the wordpress-develop repository.

#10 @peterwilsoncc
15 months ago

  • Owner set to peterwilsoncc
  • Resolution set to fixed
  • Status changed from new to closed

In 55670:

Security: Update GitHub security policy to refer to H1.

Update the security policy displayed on GitHub, SECURITY.md, to refer visitors to the HackerOne WordPress program for the full policy.

This allows the project to maintain a single source of truth and avoid the potential for conflicting information across the two sites.

Props desrosj, hellofromTonya, costdev.
Fixes #57937.

#12 @peterwilsoncc
15 months ago

  • Keywords fixed-major added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for backport, maybe.

This is milestoned for 6.2.1 but I am not sure if it will need to be backported.

The security tab and the link in the sidebar of a GitHub repository always link to the default branch's copy of the file.

SECURITY.md in the file list opens the copy for the branch/tag the vistor is currently viewing. It may be handy to have an up-to-date copy of the policy in the 6.2 branch and future tags.

#13 @desrosj
15 months ago

I think backporting to the currently supported branch makes sense, especially where 6.3 is not due out until August.

#14 @peterwilsoncc
15 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 55679:

Security: Update GitHub security policy to refer to H1.

Update the security policy displayed on GitHub, SECURITY.md, to refer visitors to the HackerOne WordPress program for the full policy.

This allows the project to maintain a single source of truth and avoid the potential for conflicting information across the two sites.

Props desrosj, hellofromTonya, costdev.
Merges [55670] to the 6.2 branch.
Fixes #57937.

Note: See TracTickets for help on using tickets.