Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update to HackerOne reporting text #1675

Open
mcollina opened this issue Jan 20, 2025 · 4 comments
Open

update to HackerOne reporting text #1675

mcollina opened this issue Jan 20, 2025 · 4 comments

Comments

@mcollina
Copy link
Member

I propose we amend this paragraph

All reports are evaluated based on the Node.js Threat Model. You can find more information about it at SECURITY.md.

Adding:

All reports that fail to be reproducible with standard Open Source tools will be closed as "not applicable", e.g. bash, python, node.js scripts are acceptable, burp suite is not.
@RafaelGSS
Copy link
Member

SGTM

@mhdawson
Copy link
Member

I wonder if the following would be better:

All reports should be be reproducible with standard Open Source tools (, e.g. bash, python, node.js scripts are acceptable, burp suite is not.) or include references to the specific source code relevant to the issue. Reports that can only be reproduced with non-open source tools and cannot otherwise be confirmed will be closed as "not applicable".

@RafaelGSS
Copy link
Member

I think we should mention including additional context using tools like burp suite is acceptable, but reproducible examples must use easy-to-use tools. Preferable, Node.js and Bash.

@mhdawson
Copy link
Member

@RafaelGSS that was along the lines of what I was trying to get at, so agree on that front.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcollina @mhdawson @RafaelGSS