Add "responsible disclosure" to the site and project

[ramondelafuente]

Give people a place to notify us privately when they find security issues. This could be as simple as an email address, but let's be explicit about it.

[edwinkortman]

Yes! This should be mandatory for any project, open source or not. Having said that, one of the most used tools for ethical hacking and bounties is HackerOne. It's used by big enterprises like: Discourse, Starbucks and Spotify all around the world. Fortunate for us, they have a community edition (free).

The rules for participation are described here.

I think the learning value here is derived from using this third-party high-end bug bounty tool which could (or should ;-)) be applied for customers with an open to public platform.

What is your opinion about using a tool like this?

[ramondelafuente]

Oh If we're eligible I'm all for it :-) Certainly an area where we could learn from using a good high-end tool. I have applied for a community edition account. And now... we wait!

[ramondelafuente]

Aaaaaand nothing but crickets. Looks like we're going to solve this another way :)