VULN-DISCLOSURE-POLICY: all reports should be disclosed

author Daniel Stenberg <daniel@haxx.se>

Sun, 29 Jun 2025 14:17:49 +0000 (16:17 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Sun, 29 Jun 2025 14:42:03 +0000 (16:42 +0200)
author Daniel Stenberg <daniel@haxx.se>
Sun, 29 Jun 2025 14:17:49 +0000 (16:17 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Sun, 29 Jun 2025 14:42:03 +0000 (16:42 +0200)
diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md

index ed2827bf2d11306a79248a007f9e7c75f0b44572..8ec4d9b89fa20e885008175bf7d680d338650f80 100644 (file)
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -134,13 +134,16 @@ somewhat over time and a list somewhere only risks getting outdated.
  6. On security advisory release day, push the changes on the curl-www
     repository's remote master branch.
  
-## HackerOne
+## Disclose the report
  
  Request the issue to be disclosed. If there are sensitive details present in
  the report and discussion, those should be redacted from the disclosure. The
  default policy is to disclose as much as possible as soon as the vulnerability
  has been published.
  
+*All* reports submitted to the project, valid or not, should be disclosed and
+made public.
+
  ## Bug Bounty
  
  See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the
author	Daniel Stenberg <daniel@haxx.se>
	Sun, 29 Jun 2025 14:17:49 +0000 (16:17 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Sun, 29 Jun 2025 14:42:03 +0000 (16:42 +0200)