Where to report security issues

[ePascalC]

This whitepaper give a complete overview of the security around WordPress.org, but it seems to miss the places WHERE to report.

Please consider making links to e.g.
https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#where-do-i-report-security-issues
https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/

[iandunn]

The WordPress Security Risks, Process, and History section links to the HackerOne program:

The WordPress Security Team believes in Responsible Disclosure by alerting the security team immediately of any potential vulnerabilities. Potential security vulnerabilities can be signaled to the Security Team via the WordPress HackerOne. The Security Team communicates amongst itself via a private Slack channel, and works on a walled-off, private Trac for tracking, testing, and fixing bugs and security problems.

Maybe that needs to be more explicit, though? Where did you expect to find a link to it? Maybe towards the beginning of the document?

It doesn't mention anything about reporting plugin vulnerabilities, but maybe that could be added to this paragraph?

When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.

Or maybe it'd be better to just have something at the top that says something like:

If you'd like to disclosure a vulnerability in WordPress itself, or any of the official websites maintained by WordPress.org, then please view our disclosure instructions. If you'd like to report a vulnerability in a 3rd-party plugin, please contact the Plugin Review Team.

What does everyone else think?

[ePascalC]

The user reporting this wrote the following:

Why is it that .org doesn't have any obvious page about contact information for security concerns? There should be at least a list of the addresses to contact about WP, plugins, and themes, if not other parts of the infrastructure.

(After giving the pages:)

Well, that About page has a lot about security, but not how to report it. It also did not come up in the search. Maybe the problem is the search.
I have seen several people put things in Trac or in Slack, so I think it would be best if finding the info is easier. And reporting through Hackerone is very difficult... You have to sign up first, and then filling out the form is daunting when you don't understand any of the terms.

One answer that was given was: It’s targeted towards the security researcher community. Please feel free to use [email protected]

[iandunn]

One answer that was given was: It’s targeted towards the security researcher community. Please feel free to use [email protected]

That address technically works, but the security team prefers reports to go through HackerOne, since it makes management much much easier.

I think it'd be better to work on making the links in your report more visible. Maybe adding a Reporting Vulnerabilities section at the top of the white paper, and adding a Security link to the white paper in the global footer of w.org?