Making WordPress.org

Opened 6 years ago

Closed 5 years ago

#4311 closed defect (bug) (fixed)

Forums: Add notice not to report vulnerabilities

Reported by: ipstenu's profile Ipstenu Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: Priority: normal
Component: Support Forums Keywords:
Cc:

Description

Sometimes people report 0-days in the forums. Perhaps we should add a notice not to report those and direct people to the right places.

Core: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/
Plugins: https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/

Props to @benlk for the idea!

Change History (6)

#1 @benlk
6 years ago

The current text on forum submit pages is this:

When posting a new topic, follow these steps:
Read the Forum Welcome https://wordpress.org/support/welcome/ to find out how to maximize your odds of getting help!
Search https://wordpress.org/support/search/ the forums to see if your topic has been resolved already.
Update to the latest versions of your plugins, themes, and WordPress.
Note the exact steps needed to reproduce your issue.
Provide any information you might think is useful. If your issue is visual, note your browser and operating system. If your issue is technical, note your server environment.

Suggested revisions:

This ticket results from the discussion in Slack's #meta at https://wordpress.slack.com/archives/C02QB8GMM/p1553200752319200

#2 @SergeyBiryukov
6 years ago

  • Owner set to SergeyBiryukov
  • Status changed from new to accepted

#3 @SergeyBiryukov
6 years ago

In 8574:

Support Theme: Add a notice with a link to a handbook article on reporting security issues safely.

Props benlk, Ipstenu.
See #4311.

#4 @SergeyBiryukov
6 years ago

In 8575:

Support Theme: Add missing textdomain after [8574].

See #4311.

#5 @SergeyBiryukov
6 years ago

The notice is now live:

Reporting a security issue? Please read Reporting Security Vulnerabilities to do that safely.

I've linked to the Core handbook article, as it appears to be more comprehensive and covers plugins, WordPress.com, and self-hosted WordPress sites.

We should probably also add something to that effect to Forum Welcome, keeping the ticket open for that.

#6 @Clorith
5 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

I've updated the forum welcome to also link to the core handbook page on reporting vulnerabilities, along with a reminder not to post them in a public forum.

Note: See TracTickets for help on using tickets.