From a4298a0c4b40f2c5b8afafc07dab809584b4e274 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Wed, 22 May 2024 11:18:54 +0200 Subject: [PATCH] Add reference to advisory page in GitHub --- docs/security-and-privacy/statement-on-security/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/security-and-privacy/statement-on-security/README.md b/docs/security-and-privacy/statement-on-security/README.md index 0942ed317ff..1ec599e5d2a 100644 --- a/docs/security-and-privacy/statement-on-security/README.md +++ b/docs/security-and-privacy/statement-on-security/README.md @@ -51,6 +51,8 @@ If you can, please send us a PGP-encrypted email using the following key: - Fingerprint BDCF E01E DE84 EA19 9AE1 72CE 7D66 9C6D 4753 3958 - You may also find the key [attached in our OpenProject repository.](security-at-openproject.com.asc) +You can also [report a vulnerability directly in GitHub](https://github.com/opf/openproject/security/advisories/new), if you prefer. In that case, please _also_ send an informal email to [security@openproject.com](mailto:security@openproject.com) with the link to the advisory, as GitHub notifications are sometimes hard to fully dig through, and we wouldn't want to miss your report. + Please include a description on how to reproduce the issue if possible. Our security team will get your email and will attempt to reproduce and fix the issue as soon as possible. > **Please note:** OpenProject currently does not offer a bug bounty program. We will do our best to give you the appropriate credits for responsibly disclosing a security vulnerability to us. We will gladly reference your work, name, website on every publication we do related to the security update.