-
Notifications
You must be signed in to change notification settings - Fork 23
Issue Process
Vladimir Reznichenko edited this page Feb 25, 2022
·
1 revision
- Single source of truth: GitHub is the primary source of information for bugs, issues, and work in progress (enhancements).
- Open: Default to open and keep as much conversation in Github as possible.
- Protect private information: Do not include private information anywhere in bug reports, pull requests, comments, commit messages or the actual code. This includes private URLs that won’t work for everyone.
- Secure: Any vulnerabilities or security issues are reported on a private GitHub mirror repo (dedicated for this purpose only). (See below.)
- Discover the problem, e.g. as part of testing, or raised by a customer in support.
- Understand how the problem impacts the product – what flows are broken? How are users affected?
- Reproduce the issue on a minimal site (WooCommerce + Amazon Pay + default theme).
- Log an issue in GitHub using the template and provide as much detail as possible.
A private GitHub repository is maintained specifically for handling security issues. This allows these (rare) issues to be addressed using similar processes while minimizing leaking details about the vulnerability until it’s patched.
- Discovery – the issue is raised via community, dev team, HackerOne, or a regular (public) issue.
- If the issue is logged on an open GitHub repo, delete the issue immediately.
- Open an issue on the private GitHub repo.
- Sync the private repo with the public repo (i.e. update trunk).
- Work to address the issue, communicating regularly with all relevant parties (e.g. keep HackerOne updated with comments, etc).
- All the security fixes should be added to the public repo only right before the fix release.
- Avoid detailed commit messages when adding commits to the public repository.
WooCommerce is an open source eCommerce platform built for WordPress and lovingly crafted by Automattic and the WooCommerce community ❤