WordPress.org

Making WordPress.org

Opened 6 months ago

Last modified 6 months ago

#4311 accepted defect

Forums: Add notice not to report vulnerabilities

Reported by: Ipstenu Owned by: SergeyBiryukov
Milestone: Priority: normal
Component: Support Forums Keywords:
Cc:

Description

Sometimes people report 0-days in the forums. Perhaps we should add a notice not to report those and direct people to the right places.

Core: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/
Plugins: https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/

Props to @benlk for the idea!

Change History (5)

#1 @benlk
6 months ago

The current text on forum submit pages is this:

When posting a new topic, follow these steps:
Read the Forum Welcome https://wordpress.org/support/welcome/ to find out how to maximize your odds of getting help!
Search https://wordpress.org/support/search/ the forums to see if your topic has been resolved already.
Update to the latest versions of your plugins, themes, and WordPress.
Note the exact steps needed to reproduce your issue.
Provide any information you might think is useful. If your issue is visual, note your browser and operating system. If your issue is technical, note your server environment.

Suggested revisions:

This ticket results from the discussion in Slack's #meta at https://wordpress.slack.com/archives/C02QB8GMM/p1553200752319200

#2 @SergeyBiryukov
6 months ago

  • Owner set to SergeyBiryukov
  • Status changed from new to accepted

#3 @SergeyBiryukov
6 months ago

In 8574:

Support Theme: Add a notice with a link to a handbook article on reporting security issues safely.

Props benlk, Ipstenu.
See #4311.

#4 @SergeyBiryukov
6 months ago

In 8575:

Support Theme: Add missing textdomain after [8574].

See #4311.

#5 @SergeyBiryukov
6 months ago

The notice is now live:

Reporting a security issue? Please read Reporting Security Vulnerabilities to do that safely.

I've linked to the Core handbook article, as it appears to be more comprehensive and covers plugins, WordPress.com, and self-hosted WordPress sites.

We should probably also add something to that effect to Forum Welcome, keeping the ticket open for that.

Note: See TracTickets for help on using tickets.