Adds info how to handle communication in case of vulnerability
Project: http://git-wip-us.apache.org/repos/asf/struts-site/repo Commit: http://git-wip-us.apache.org/repos/asf/struts-site/commit/55ee0667 Tree: http://git-wip-us.apache.org/repos/asf/struts-site/tree/55ee0667 Diff: http://git-wip-us.apache.org/repos/asf/struts-site/diff/55ee0667 Branch: refs/heads/master Commit: 55ee0667a64e1722cab2b438025fbc64feafbece Parents: ff1e0f8 Author: Lukasz Lenart <[email protected]> Authored: Wed Jun 28 17:12:52 2017 +0200 Committer: Lukasz Lenart <[email protected]> Committed: Wed Jun 28 17:12:52 2017 +0200 ---------------------------------------------------------------------- source/submitting-patches.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts-site/blob/55ee0667/source/submitting-patches.md ---------------------------------------------------------------------- diff --git a/source/submitting-patches.md b/source/submitting-patches.md index 09510bd..a971c90 100644 --- a/source/submitting-patches.md +++ b/source/submitting-patches.md @@ -165,9 +165,13 @@ you can get a bounty :-) You will find more details on [the Google's blog](http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html) or under the link above, just to give you a quick guideline how does it work: -- prepare a patch and submit it to our [JIRA](https://issues.apache.org/jira/browse/WW), - it can be a Pull Request on GitHub as well, but must reference the JIRA ticket. -- let us know that you did something great, post a message to [Struts Dev mailing list](dev-mail.html) +- if you found a way to improve security of the framework but this isn't a vulnerability: + - prepare a patch and submit it to our [JIRA](https://issues.apache.org/jira/browse/WW), + it can be a Pull Request on GitHub as well, but must reference the JIRA ticket. + - let us know that you did something great, post a message to [Struts Dev mailing list](dev-mail.html) +- if you found a vulnerability and prepared a patch that fixes the vulnerability: + - please contact us using the Security Mailing list [[email protected]](mailto:[email protected]) + - keep all information in secret, do not publish any data about the vulnerability nor Proof-of-Concept, etc. - we will review the patch and if it's a real great thing then we will merge it into our code base - just wait on official release of the Apache Struts and now you can request the reward from Google :-)
