diff --git a/content/github/managing-security-vulnerabilities/about-disclosing-vulnerabilities.md b/content/github/managing-security-vulnerabilities/about-disclosing-vulnerabilities.md index 99bfd13a0d..37c5e88304 100644 --- a/content/github/managing-security-vulnerabilities/about-disclosing-vulnerabilities.md +++ b/content/github/managing-security-vulnerabilities/about-disclosing-vulnerabilities.md @@ -17,16 +17,16 @@ The initial report of a vulnerability is made privately, and the full details ar Security researchers should report vulnerabilities privately to maintainers. It's not acceptable to: - Disclose the vulnerability publicly - Not contact the maintainer -- Disclose the vulnerability before the code has been patched +- Disclose the vulnerability before a fixed version of the code is available -It's fine for security researchers to disclose a vulnerability publicly after a period of time, if they have tried to contact the maintainers and not received a response, or contacted them and been asked to wait too long to disclose it. +It's acceptable for security researchers to disclose a vulnerability publicly after a period of time, if they have tried to contact the maintainers and not received a response, or contacted them and been asked to wait too long to disclose it. #### Best practices for maintainers -Maintainers should disclose vulnerabilities in a timely manner, if a security vulnerability has been found in their repository. It's not acceptable to: -- Not disclose the vulnerability -- Not identify the vulnerability as a security issue -- Wait an unacceptably long time to create a fix +Maintainers should disclose vulnerabilities in a timely manner. If there is a security vulnerability in your repository, you should: +- Treat the vulnerability as a security issue rather than a simple bug +- Plan to disclose the vulnerability responsibly +- Aim to publish a fix as soon as you can Publishing the details of a security vulnerability doesn't make maintainers look bad. Security vulnerabilities are present everywhere in sofware nowadays, and users will trust maintainers who have a clear and established process for disclosing security vulnerabilities in their code. @@ -47,4 +47,4 @@ The process for reporting and disclosing vulnerabilities in {% data variables.pr As a maintainer, to disclose a vulnerability that exists in your repository (for example if someone got in touch and reported a vulnerability to you), you first create a draft security advisory in your package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)." - To get started, see "[Creating a security advisory](/github/managing-security-vulnerabilities/creating-a-security-advisory)." \ No newline at end of file + To get started, see "[Creating a security advisory](/github/managing-security-vulnerabilities/creating-a-security-advisory)." diff --git a/data/reusables/security-advisory/disclosing-vulnerabilities.md b/data/reusables/security-advisory/disclosing-vulnerabilities.md index ad3aa376cc..c2df3f60a4 100644 --- a/data/reusables/security-advisory/disclosing-vulnerabilities.md +++ b/data/reusables/security-advisory/disclosing-vulnerabilities.md @@ -1 +1 @@ -Vulnerability disclosure is an area where collaboration between security researchers and organizations is very important, from the moment a potentially harmful security vulnerability is found, right until a patch is available, and the vulnerability is disclosed to the world. Typically, when someone lets an organization maintainer know privately about a security vulnerability, the maintainer develops a fix, validates it, and notifies the repository users. \ No newline at end of file +Vulnerability disclosure is an area where collaboration between security researchers and project maintainers is very important, from the moment a potentially harmful security vulnerability is found, right until a patch is available, and the vulnerability is disclosed to the world. Typically, when someone lets a maintainer know privately about a security vulnerability, the maintainer develops a fix, validates it, and notifies the repository users.