WordPress
Create SECURITY.md
Hey there!
I belong to an open source security research community, and a member (@ranjit-git) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
Hiya @JamieSlome and @ranjit-git,
Thanks for bringing this to our attention. We'll get that sorted soonish (need to figure out an email address which can be used). In the mean time, you may want to report the issue to the WordPress HackerOne program. As Requests is shipped as part of WordPress Core, issues with Requests can be reported there and are eligible under the program.
@jrfnl - thanks for the response! ❤️
If the preferred process for WordPress is to submit vulnerabilities to HackerOne, we will certainly respect this process, and request @ranjit-git to submit it to them directly.
Can you confirm if this is the case?
For WordPress itself, HackerOne is definitely the preferred way. For Requests, we'll have a discussion about this in the near future, but until otherwise decided, HackerOne will work for the purpose of responsible disclosure.
Thanks @jrfnl!
@ranjit-git, I would recommend submitting your report via HackerOne in this instance then ❤️
Just checking: did the issue ever get reported ? If so, would you mind posting a link so those of us who have access to the WP HackerOne account can have a look ?
FYI: while a security.md file should still be created, in the mean time we have turned on private security reporting for this repo and I would like to encourage people to use it:
