greatbody
/
freeCodeCamp
mirror of https://github.com/freeCodeCamp/freeCodeCamp.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

docs: expand the responsible disclosure (#44549) 

* docs: expand the responsible disclosure

* Update docs/security.md

Co-authored-by: Nicholas Carrigan (he/him) <nhcarrigan@gmail.com>

Co-authored-by: Nicholas Carrigan (he/him) <nhcarrigan@gmail.com>
pull/44566/head
Mrugesh Mohapatra 2021-12-23 11:03:14 +05:30 committed by GitHub
parent 99795a5edc
commit 9b15d47566
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/_sidebar.md
View File

@ -1,6 +1,7 @@
- **Getting Started**
- [Introduction](index.md 'Contribute to the freeCodeCamp.org Community')
- [Frequently Asked Questions](FAQ.md)
- [Reporting a Vulnerability](security.md)
- **Translation Contribution**
- [Work on translating resources](how-to-translate-files.md)
- [Work on proofreading translations](how-to-proofread-files.md)

4
docs/security-hall-of-fame.md
View File

@ -1,6 +1,6 @@
# Responsible Disclosure - Hall of Fame
We appreciate any responsible disclosure of vulnerabilities that might impact the integrity of our platforms and users.
We appreciate any responsible disclosure of vulnerabilities that might impact the integrity of our platforms and users. If you are interested in contributing to the security of our platform, please read our [security policy outlined here](https://contribute.freecodecamp.org/#/security).
While we do not offer any bounties or swags at the moment, we are grateful to these awesome people for helping us keep the platform safe for everyone:
@ -8,5 +8,3 @@ While we do not offer any bounties or swags at the moment, we are grateful to th
- Peter Samir https://www.linkedin.com/in/peter-samir/
> ### Thank you for your contributions :pray:
If you are interested in contributing to the security of our platform, please read our [security policy outlined here](https://contribute.freecodecamp.org/#/security).

47
docs/security.md
View File

@ -1,21 +1,46 @@
# Security Policy
This document outlines our security policy for the codebase, and how to report vulnerabilities.
## Versions
| Version | Branch | Supported | Website active |
| ----------- | -------------- | ------------------ | ---------------- |
| production | `prod-current` | :white_check_mark: | freecodecamp.org |
| beta | `prod-staging` | :white_check_mark: | freecodecamp.dev |
| development | `main` | | |
This document outlines our security policy for the codebases, platforms that we operate, and how to report vulnerabilities.
## Reporting a Vulnerability
If you think you have found a vulnerability, _please report responsibly_. Don't create GitHub issues for security issues. Instead, please send an email to `security@freecodecamp.org` and we'll look into it immediately.
Ensure that you are using the **latest**, **stable** and **updated** version of the Operating System and Web Browser available to you on your machine.
We appreciate any responsible disclosure of vulnerabilities that might impact the integrity of our platforms and users.
While we do not offer any bounties or swags at the moment, we'll be happy to list your name in our [Hall of Fame](https://contribute.freecodecamp.org/#/security-hall-of-fame) list, provided the reports are not low-effort for example: using tools & online utilities to report SFP configurations, or SSL Server tests, etc. We consider those in the category of ["beg bounties"](https://www.troyhunt.com/beg-bounties/).
Once you report a vulnerability, we will look into it and make sure that it is not a false positive. We will get back to you if we need to clarify any details. You can submit separate reports for each issue you find.
Ensure that you are using the **latest**, **stable** and **updated** version of the Operating System and Web Browser available to you on your machine.
While we do not offer any bounties or swags at the moment, we'll be happy to list your name in our [Hall of Fame](https://contribute.freecodecamp.org/#/security-hall-of-fame) list, provided the reports are not low-effort.
We consider using tools & online utilities to report issues with SPF & DKIM configs, or SSL Server tests, etc. in the category of ["beg bounties"](https://www.troyhunt.com/beg-bounties/) and are unable to respond to these reports.
## Platforms & Codebases
Here is a list of the platforms and codebases we are accepting reports for:
### Learn Platform
| Version | Branch | Supported | Website active |
| ----------- | -------------- | --------- | ------------------------ |
| production | `prod-current` | Yes | `freecodecamp.org/learn` |
| staging | `prod-staging` | Yes | `freecodecamp.dev/learn` |
| development | `main` | No | |
### Publication Platform
| Version | Supported | Website active |
| ---------- | --------- | ---------------------------------- |
| production | Yes | `freecodecamp.org/news` |
| localized | Yes | `freecodecamp.org/<language>/news` |
### Mobile app
| Version | Supported | Website active |
| ---------- | --------- | ---------------------------------------------------------------- |
| production | Yes | `https://play.google.com/store/apps/details?id=org.freecodecamp` |
Apart from the above, we are also accepting reports for repositories hosted on GitHub, under the freeCodeCamp organization.
We self-host some of our platforms using open-source software like Ghost & Discourse. If you are reporting a vulnerability please ensure that it is not a bug in the upstream software.