From 695624669a4bc52a6ea02aab0a7ecd8a6825b196 Mon Sep 17 00:00:00 2001 From: mchammer01 <42146119+mchammer01@users.noreply.github.com> Date: Mon, 22 Feb 2021 11:41:21 +0000 Subject: [PATCH] address review comments --- .../about-disclosing-vulnerabilities.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/github/managing-security-vulnerabilities/about-disclosing-vulnerabilities.md b/content/github/managing-security-vulnerabilities/about-disclosing-vulnerabilities.md index 37c5e88304..3a1a5b6925 100644 --- a/content/github/managing-security-vulnerabilities/about-disclosing-vulnerabilities.md +++ b/content/github/managing-security-vulnerabilities/about-disclosing-vulnerabilities.md @@ -34,17 +34,17 @@ Publishing the details of a security vulnerability doesn't make maintainers look The process for reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom_the_website %} is as follows: - If you are a security researcher who would like report a vulnerability, first check if there is a security policy for the related repository. For more information, see "[About security policies](/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository#about-security-policies)." If there is one, follow it to understand the process before contacting the security team for that repository. + If you are a security researcher who would like report a vulnerability, first check if there is a security policy for the related repository. For more information, see "[About security policies](/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository#about-security-policies)." If there is one, follow it to understand the process before contacting the security team for that repository. If there isn't a security policy for the repository, you may try to privately contact the maintainer based on information available in the _security.md_ file. - If you are a maintainer, it's likely that a security researcher will email you or otherwise privately contact you. This can be, for example, based on information in your _security.md_ file. Alternatively, someone may open a (public) issue with details of a security issue. - {% note %} **Note**: _For npm only_ - If you report a vulnerability to npm, we try to contact you privately. If you don't address the issue in a timely manner, we will disclose it. For more information, see "[Reporting malware in an npm package](https://docs.npmjs.com/reporting-malware-in-an-npm-package)" on the npm Docs website. {% endnote %} - As a maintainer, to disclose a vulnerability that exists in your repository (for example if someone got in touch and reported a vulnerability to you), you first create a draft security advisory in your package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)." + If you are a maintainer, it's likely that a security researcher will email you or otherwise privately contact you. Alternatively, someone may open a (public) issue with details of a security issue. + + As a maintainer, to disclose a vulnerability that exists in your repository, you first create a draft security advisory in your package's repository in {% data variables.product.prodname_dotcom %}. {% data reusables.security-advisory.security-advisory-overview %} For more information, see "[About {% data variables.product.prodname_security_advisories %}](/github/managing-security-vulnerabilities/about-github-security-advisories)." To get started, see "[Creating a security advisory](/github/managing-security-vulnerabilities/creating-a-security-advisory)."