Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update security process regarding who gets acknowledgement for finding vulnerabilities #496

Open
GuySartorelli opened this issue Apr 11, 2024 · 0 comments
Open

Update security process regarding who gets acknowledgement for finding vulnerabilities #496

GuySartorelli opened this issue Apr 11, 2024 · 0 comments
Labels
type/docs

Comments

@GuySartorelli
Copy link
Member

The [https://docs.silverstripe.org/en/5/contributing/managing_security_issues/](security issue/release process) mentions giving acknowledgement to the reporter - but in some scenarios the reporter isn't the correct person to acknowledge, necessarily.

Acceptance criteria

  • Doc is updated to reflect these scenarios:
    • The reporter is a digital agency or owner of a website who hired a third-party to perform a penetration test. The third party found a vulnerability.
      • In this case the agency and third-party should both be asked if they want to be given acknowledgement
    • The reporter is a staff member at Silverstripe, and they're reporting on behalf of a client who hired a third-party to perform a penetration test. The third party found a vulnerability.
      • In this case the client and third-party should both be asked if they want to be given acknowledgement
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GuySartorelli