You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/06/28 15:17:48 UTC
svn commit: r1014667 -
/websites/production/struts/content/submitting-patches.html
Author: lukaszlenart
Date: Wed Jun 28 15:17:48 2017
New Revision: 1014667
Log:
Updates production
Modified:
websites/production/struts/content/submitting-patches.html
Modified: websites/production/struts/content/submitting-patches.html
==============================================================================
--- websites/production/struts/content/submitting-patches.html (original)
+++ websites/production/struts/content/submitting-patches.html Wed Jun 28 15:17:48 2017
@@ -335,9 +335,19 @@ you can get a bounty :-) You will find m
or under the link above, just to give you a quick guideline how does it work:</p>
<ul>
- <li>prepare a patch and submit it to our <a href="https://issues.apache.org/jira/browse/WW">JIRA</a>,
+ <li>if you found a way to improve security of the framework but this isnât a vulnerability:
+ <ul>
+ <li>prepare a patch and submit it to our <a href="https://issues.apache.org/jira/browse/WW">JIRA</a>,
it can be a Pull Request on GitHub as well, but must reference the JIRA ticket.</li>
- <li>let us know that you did something great, post a message to <a href="dev-mail.html">Struts Dev mailing list</a></li>
+ <li>let us know that you did something great, post a message to <a href="dev-mail.html">Struts Dev mailing list</a></li>
+ </ul>
+ </li>
+ <li>if you found a vulnerability and prepared a patch that fixes the vulnerability:
+ <ul>
+ <li>please contact us using the Security Mailing list <a href="mailto:security@struts.apache.org">security@struts.apache.org</a></li>
+ <li>keep all information in secret, do not publish any data about the vulnerability nor Proof-of-Concept, etc.</li>
+ </ul>
+ </li>
<li>we will review the patch and if itâs a real great thing then we will merge it into our code base</li>
<li>just wait on official release of the Apache Struts and now you can request the reward from Google :-)</li>
</ul>