You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/06/28 15:17:48 UTC

svn commit: r1014667 - /websites/production/struts/content/submitting-patches.html

Author: lukaszlenart
Date: Wed Jun 28 15:17:48 2017
New Revision: 1014667

Log:
Updates production

Modified:
    websites/production/struts/content/submitting-patches.html

Modified: websites/production/struts/content/submitting-patches.html
==============================================================================
--- websites/production/struts/content/submitting-patches.html (original)
+++ websites/production/struts/content/submitting-patches.html Wed Jun 28 15:17:48 2017
@@ -335,9 +335,19 @@ you can get a bounty :-) You will find m
  or under the link above, just to give you a quick guideline how does it work:</p>
 
 <ul>
-  <li>prepare a patch and submit it to our <a href="https://issues.apache.org/jira/browse/WW">JIRA</a>,
+  <li>if you found a way to improve security of the framework but this isn’t a vulnerability:
+    <ul>
+      <li>prepare a patch and submit it to our <a href="https://issues.apache.org/jira/browse/WW">JIRA</a>,
 it can be a Pull Request on GitHub as well, but must reference the JIRA ticket.</li>
-  <li>let us know that you did something great, post a message to <a href="dev-mail.html">Struts Dev mailing list</a></li>
+      <li>let us know that you did something great, post a message to <a href="dev-mail.html">Struts Dev mailing list</a></li>
+    </ul>
+  </li>
+  <li>if you found a vulnerability and prepared a patch that fixes the vulnerability:
+    <ul>
+      <li>please contact us using the Security Mailing list <a href="&#109;&#097;&#105;&#108;&#116;&#111;:&#115;&#101;&#099;&#117;&#114;&#105;&#116;&#121;&#064;&#115;&#116;&#114;&#117;&#116;&#115;&#046;&#097;&#112;&#097;&#099;&#104;&#101;&#046;&#111;&#114;&#103;">&#115;&#101;&#099;&#117;&#114;&#105;&#116;&#121;&#064;&#115;&#116;&#114;&#117;&#116;&#115;&#046;&#097;&#112;&#097;&#099;&#104;&#101;&#046;&#111;&#114;&#103;</a></li>
+      <li>keep all information in secret, do not publish any data about the vulnerability nor Proof-of-Concept, etc.</li>
+    </ul>
+  </li>
   <li>we will review the patch and if it’s a real great thing then we will merge it into our code base</li>
   <li>just wait on official release of the Apache Struts and now you can request the reward from Google :-)</li>
 </ul>