From 6703eb2f4cd3cd0cf008e5103e2ec7aa85eabedc Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 3 Dec 2020 14:18:51 +0100
Subject: [PATCH] SECURITY-PROCESS: disclose on hackerone

Once a vulnerability has been published, the hackerone issue should be
disclosed. For tranparency.

Closes #6275
---
 docs/SECURITY-PROCESS.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index c77ff1778..a5d487adf 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -125,6 +125,14 @@ Publishing Security Advisories
 6. On security advisory release day, push the changes on the curl-www
    repository's remote master branch.
 
+Hackerone
+---------
+
+Request the issue to be disclosed. If there are sensitive details present in
+the report and discussion, those should be redacted from the disclosure. The
+default policy is to disclose as much as possible as soon as the vulnerability
+has been published.
+
 Bug Bounty
 ----------