phorge-phorge/src/docs/user/reporting_security.diviner

@title Reporting Security Vulnerabilities
@group intro

Describes how to report security vulnerabilities in Phabricator.

Overview
========

Phabricator runs a disclosure and award program through
[[ https://www.hackerone.com/ | HackerOne ]]. This program is the best way to
submit security issues to us, and awards responsible disclosure of
vulnerabilities with cash bounties. You can find our project page
here:

(NOTE) https://hackerone.com/phabricator

The project page has detailed information about the scope of the program and
how to participate.

We have a 24 hour response timeline, and are usually able to respond to (and,
very often, fix) issues more quickly than that.


Other Channels
==============

If you aren't sure if something qualifies or don't want to report via
HackerOne, you can submit the issue as a normal bug report. For instructions,
see @{article:Contributing Bug Reports}.


Get Updated
===========

General information about security changes is reported weekly in the
[[ https://secure.phabricator.com/w/changelog/ | Changelog ]].
Document the security vulnerability reporting policy Summary: Fixes T2791. I'm happy with HackerOne, so this pretty much just says "use HackerOne". Test Plan: {F128995} - Clicked all the links. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T2791 Differential Revision: https://secure.phabricator.com/D8538 2014-03-14 22:33:41 +01:00			`@title Reporting Security Vulnerabilities`
			`@group intro`

			`Describes how to report security vulnerabilities in Phabricator.`

Update support documentation for modern times Summary: Basically similar to D13941 but a little more extreme: - Really strongly emphasize reproducibility for bug reports, and set users up for rejection if they don't satisfy this. - Really strongly emphasize problem descriptions for feature requests, and set users up for rejection. - Get rid of various "please give us feedback"; we get plenty of feedback these days. - Some modernization tweaks. - Split the support document into: - Stuff we actually support for free (security / good bug reports / feature requests). - Stuff you can pay us for (hosting / consulting / prioritization). - A nebulous "community" section, with appropriate (low) expectations that better reflects reality. My overall goals here are: - Set expectations better, so users don't show up in IRC expecting it to be a "great place to get amazing support" or whatever the docs said in 2011. - Possibly move the needle slightly on bug reports / feature request quality, maybe. Test Plan: Read changes carefully. Reviewers: chad Reviewed By: chad Differential Revision: https://secure.phabricator.com/D14305 2015-10-19 22:29:24 +02:00			`Overview`
			`========`
Document the security vulnerability reporting policy Summary: Fixes T2791. I'm happy with HackerOne, so this pretty much just says "use HackerOne". Test Plan: {F128995} - Clicked all the links. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T2791 Differential Revision: https://secure.phabricator.com/D8538 2014-03-14 22:33:41 +01:00
			`Phabricator runs a disclosure and award program through`
			`[[ https://www.hackerone.com/ \| HackerOne ]]. This program is the best way to`
			`submit security issues to us, and awards responsible disclosure of`
			`vulnerabilities with cash bounties. You can find our project page`
			`here:`

			`(NOTE) https://hackerone.com/phabricator`

			`The project page has detailed information about the scope of the program and`
			`how to participate.`

			`We have a 24 hour response timeline, and are usually able to respond to (and,`
			`very often, fix) issues more quickly than that.`


Update support documentation for modern times Summary: Basically similar to D13941 but a little more extreme: - Really strongly emphasize reproducibility for bug reports, and set users up for rejection if they don't satisfy this. - Really strongly emphasize problem descriptions for feature requests, and set users up for rejection. - Get rid of various "please give us feedback"; we get plenty of feedback these days. - Some modernization tweaks. - Split the support document into: - Stuff we actually support for free (security / good bug reports / feature requests). - Stuff you can pay us for (hosting / consulting / prioritization). - A nebulous "community" section, with appropriate (low) expectations that better reflects reality. My overall goals here are: - Set expectations better, so users don't show up in IRC expecting it to be a "great place to get amazing support" or whatever the docs said in 2011. - Possibly move the needle slightly on bug reports / feature request quality, maybe. Test Plan: Read changes carefully. Reviewers: chad Reviewed By: chad Differential Revision: https://secure.phabricator.com/D14305 2015-10-19 22:29:24 +02:00			`Other Channels`
			`==============`
Document the security vulnerability reporting policy Summary: Fixes T2791. I'm happy with HackerOne, so this pretty much just says "use HackerOne". Test Plan: {F128995} - Clicked all the links. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T2791 Differential Revision: https://secure.phabricator.com/D8538 2014-03-14 22:33:41 +01:00
Update support documentation for modern times Summary: Basically similar to D13941 but a little more extreme: - Really strongly emphasize reproducibility for bug reports, and set users up for rejection if they don't satisfy this. - Really strongly emphasize problem descriptions for feature requests, and set users up for rejection. - Get rid of various "please give us feedback"; we get plenty of feedback these days. - Some modernization tweaks. - Split the support document into: - Stuff we actually support for free (security / good bug reports / feature requests). - Stuff you can pay us for (hosting / consulting / prioritization). - A nebulous "community" section, with appropriate (low) expectations that better reflects reality. My overall goals here are: - Set expectations better, so users don't show up in IRC expecting it to be a "great place to get amazing support" or whatever the docs said in 2011. - Possibly move the needle slightly on bug reports / feature request quality, maybe. Test Plan: Read changes carefully. Reviewers: chad Reviewed By: chad Differential Revision: https://secure.phabricator.com/D14305 2015-10-19 22:29:24 +02:00			`If you aren't sure if something qualifies or don't want to report via`
			`HackerOne, you can submit the issue as a normal bug report. For instructions,`
			`see @{article:Contributing Bug Reports}.`
Document the security vulnerability reporting policy Summary: Fixes T2791. I'm happy with HackerOne, so this pretty much just says "use HackerOne". Test Plan: {F128995} - Clicked all the links. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T2791 Differential Revision: https://secure.phabricator.com/D8538 2014-03-14 22:33:41 +01:00

Update support documentation for modern times Summary: Basically similar to D13941 but a little more extreme: - Really strongly emphasize reproducibility for bug reports, and set users up for rejection if they don't satisfy this. - Really strongly emphasize problem descriptions for feature requests, and set users up for rejection. - Get rid of various "please give us feedback"; we get plenty of feedback these days. - Some modernization tweaks. - Split the support document into: - Stuff we actually support for free (security / good bug reports / feature requests). - Stuff you can pay us for (hosting / consulting / prioritization). - A nebulous "community" section, with appropriate (low) expectations that better reflects reality. My overall goals here are: - Set expectations better, so users don't show up in IRC expecting it to be a "great place to get amazing support" or whatever the docs said in 2011. - Possibly move the needle slightly on bug reports / feature request quality, maybe. Test Plan: Read changes carefully. Reviewers: chad Reviewed By: chad Differential Revision: https://secure.phabricator.com/D14305 2015-10-19 22:29:24 +02:00			`Get Updated`
			`===========`
Document the security vulnerability reporting policy Summary: Fixes T2791. I'm happy with HackerOne, so this pretty much just says "use HackerOne". Test Plan: {F128995} - Clicked all the links. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T2791 Differential Revision: https://secure.phabricator.com/D8538 2014-03-14 22:33:41 +01:00
Update support documentation for modern times Summary: Basically similar to D13941 but a little more extreme: - Really strongly emphasize reproducibility for bug reports, and set users up for rejection if they don't satisfy this. - Really strongly emphasize problem descriptions for feature requests, and set users up for rejection. - Get rid of various "please give us feedback"; we get plenty of feedback these days. - Some modernization tweaks. - Split the support document into: - Stuff we actually support for free (security / good bug reports / feature requests). - Stuff you can pay us for (hosting / consulting / prioritization). - A nebulous "community" section, with appropriate (low) expectations that better reflects reality. My overall goals here are: - Set expectations better, so users don't show up in IRC expecting it to be a "great place to get amazing support" or whatever the docs said in 2011. - Possibly move the needle slightly on bug reports / feature request quality, maybe. Test Plan: Read changes carefully. Reviewers: chad Reviewed By: chad Differential Revision: https://secure.phabricator.com/D14305 2015-10-19 22:29:24 +02:00			`General information about security changes is reported weekly in the`
			`[[ https://secure.phabricator.com/w/changelog/ \| Changelog ]].`