iandunn
commented
6 years ago The WordPress Security Risks, Process, and History section links to the HackerOne program:
The WordPress Security Team believes in Responsible Disclosure by alerting the security team immediately of any potential vulnerabilities. Potential security vulnerabilities can be signaled to the Security Team via the WordPress HackerOne. The Security Team communicates amongst itself via a private Slack channel, and works on a walled-off, private Trac for tracking, testing, and fixing bugs and security problems.
Maybe that needs to be more explicit, though? Where did you expect to find a link to it? Maybe towards the beginning of the document?
It doesn't mention anything about reporting plugin vulnerabilities, but maybe that could be added to this paragraph?
When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.
Or maybe it'd be better to just have something at the top that says something like:
If you'd like to disclosure a vulnerability in WordPress itself, or any of the official websites maintained by WordPress.org, then please view our disclosure instructions. If you'd like to report a vulnerability in a 3rd-party plugin, please contact the Plugin Review Team.
What does everyone else think?
ePascalC
This whitepaper give a complete overview of the security around WordPress.org, but it seems to miss the places WHERE to report.
Please consider making links to e.g. https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#where-do-i-report-security-issues https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/