Skip to content
This repository was archived by the owner on Nov 16, 2022. It is now read-only.

update security policy wrt HackerOne reputation #296

Merged
merged 1 commit into from
Jul 29, 2015
Merged

update security policy wrt HackerOne reputation #296

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 19 additions & 7 deletions www/howto/handle-security-issues.spt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,25 @@ nav_title = 'Handle Security Issues'
[HackerOne page](https://hackerone.com/gratipay). This document is for
internal Gratipay staff.*

We manage our entire security queue in HackerOne. We support email as a
fall-back. When we receive disclosures on [email protected], [file a
report](https://hackerone.com/gratipay/reports/new) at HackerOne and manage the
issue there. If the researcher doesn't want to join HackerOne, add them to
the [old Hall of Fame](https://gratipay.com/about/security/hall-of-fame) instead.
We [use HackerOne](https://hackerone.com/gratipay) to manage our security
[queue](./manage-queues). HackerOne assigns five reputation points for
reporting a bug, and two for reporting a duplicate. Therefore, if you need to
reticket anything from a HackerOne bug, be sure to have the original researcher
make the reticket so that they get the credit. Publicly disclose all resolved
HackerOne tickets.

If the issue requires code changes, create a private repo in GitHub, using the
We support email as a fall-back reporting mechanism. When we receive
disclosures on [email protected], ask the researcher to [file a
report](https://hackerone.com/gratipay/reports/new) at HackerOne instead. If
they are unresponsive or don't want to use HackerOne, then file the issue
yourself so we can manage the issue there (you'll get the reputation points in
this case). If the researcher doesn't join HackerOne, offer to add them to the
[old Hall of Fame](https://gratipay.com/about/security/hall-of-fame) instead.


## Code Changes

If an issue requires code changes, create a private repo in GitHub, using the
naming convention `security-deadbeef`, then do this:

```
Expand All @@ -24,7 +36,7 @@ git push $repo master:upstream
git push -u $repo $branch:$branch
```

And here's how to deploy them before merging back to upstream:
Here's how to deploy code changes before merging back to upstream:

```
git checkout master && git pull
Expand Down