From 60d8dc813e8b8f7898e1c727ebeda68a511a5b8e Mon Sep 17 00:00:00 2001 From: epriestley <git@epriestley.com> Date: Fri, 14 Mar 2014 14:33:41 -0700 Subject: [PATCH] Document the security vulnerability reporting policy Summary: Fixes T2791. I'm happy with HackerOne, so this pretty much just says "use HackerOne". Test Plan: {F128995} - Clicked all the links. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T2791 Differential Revision: https://secure.phabricator.com/D8538 --- src/docs/user/reporting_security.diviner | 41 ++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 src/docs/user/reporting_security.diviner diff --git a/src/docs/user/reporting_security.diviner b/src/docs/user/reporting_security.diviner new file mode 100644 index 0000000000..445313c970 --- /dev/null +++ b/src/docs/user/reporting_security.diviner @@ -0,0 +1,41 @@ +@title Reporting Security Vulnerabilities +@group intro + +Describes how to report security vulnerabilities in Phabricator. + += Overview = + +Phabricator runs a disclosure and award program through +[[ https://www.hackerone.com/ | HackerOne ]]. This program is the best way to +submit security issues to us, and awards responsible disclosure of +vulnerabilities with cash bounties. You can find our project page +here: + +(NOTE) https://hackerone.com/phabricator + +The project page has detailed information about the scope of the program and +how to participate. + +We have a 24 hour response timeline, and are usually able to respond to (and, +very often, fix) issues more quickly than that. + += Other Channels = + +You can also contact us on another channel if you prefer. See +@{article:Give Feedback! Get Support!} for a list of ways to get in touch +with us. + += Getting Notified = + +When we fix significant security vulnerabilities, we currently publish +information: + + - on our [[ https://www.facebook.com/phabricator | Facebook Page ]]; + - on our [[ https://twitter.com/phabricator | Twitter Feed ]]; + - and on IRC (`#phabricator` on FreeNode). + +If you'd prefer to receive information on other channels, let us know. + +General information about security is reported monthly in the +[[ http://phabricator.org/changelog/ | Changelog ]]. This includes low impact +issues, reports we did not act on, and other details.