reference to the security nature of the commit if done prior to the public
announcement.
-- The person discovering the issue, the reporter, reports the vulnerability to
- the curl project. Do this [on
- GitHub](https://github.com/curl/curl/security/advisories). Such submissions
- reach a handful of selected and trusted people.
+- The person discovering the issue, the reporter, reports the vulnerability on
+ [HackerOne](https://hackerone.com/curl). Issues filed there reach a handful
+ of selected and trusted people.
- Messages that do not relate to the reporting or managing of an undisclosed
security vulnerability in curl or libcurl are ignored and no further action
- The security webpage on the website should get the new vulnerability
mentioned.
-## GitHub Advisories
-
-We receive *advisories* submitted on GitHub but we consider them to be
-*reports*. Since we want to keep the original report as-is and preserved, we
-cannot use this system to author nor publish the actual final advisory for a
-confirmed vulnerability.
-
-The security reports submitted on GitHub are not published, instead they are
-always closed weather confirmed or not.
-
-Confirmed security reports are instead published as security advisories on the
-curl website in sync with the curl release in which the fix is published for
-the vulnerability.
-
-Unfortunately, GitHub does not allow us to disclose the reports. They can only
-be published as "advisories" - and they are not.
-
## security (at curl dot se)
This is a private mailing list for discussions on and about curl security
projects / thirdparty / curl.git / commitdiff
