The reporter is a digital agency or owner of a website who hired a third-party to perform a penetration test. The third party found a vulnerability.
In this case the agency and third-party should both be asked if they want to be given acknowledgement
The reporter is a staff member at Silverstripe, and they're reporting on behalf of a client who hired a third-party to perform a penetration test. The third party found a vulnerability.
In this case the client and third-party should both be asked if they want to be given acknowledgement
The [https://docs.silverstripe.org/en/5/contributing/managing_security_issues/](security issue/release process) mentions giving acknowledgement to the reporter - but in some scenarios the reporter isn't the correct person to acknowledge, necessarily.
Acceptance criteria