From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 3 Dec 2020 13:18:51 +0000 (+0100)
Subject: SECURITY-PROCESS: disclose on hackerone
X-Git-Tag: curl-7_74_0~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6703eb2f4cd3cd0cf008e5103e2ec7aa85eabedc;p=thirdparty%2Fcurl.git

SECURITY-PROCESS: disclose on hackerone

Once a vulnerability has been published, the hackerone issue should be
disclosed. For tranparency.

Closes #6275
---

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index c77ff17782..a5d487adfb 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -125,6 +125,14 @@ Publishing Security Advisories
 6. On security advisory release day, push the changes on the curl-www
    repository's remote master branch.
 
+Hackerone
+---------
+
+Request the issue to be disclosed. If there are sensitive details present in
+the report and discussion, those should be redacted from the disclosure. The
+default policy is to disclose as much as possible as soon as the vulnerability
+has been published.
+
 Bug Bounty
 ----------