Update security issues documentation

We're now using HackerOne to handle reports. Signed-off-by: Michal Čihař <michal@cihar.com>
WeblateOrg · Apr 24, 2017 · 582f2bc · 582f2bc
1 parent 52919bf
commit 582f2bc
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 14 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -3,17 +3,8 @@
 We take security very seriously at Weblate. We welcome any peer review of our
 100% open source code to ensure nobody's Weblate is ever compromised or hacked.
 
-### Where should I report security issues?
+You can find more information on reporting security issues in
+[our documentation][1] and on [our page at HackerOne][2].
 
-In order to give the community time to respond and upgrade we strongly urge you
-report all security issues privately. Please report them by email to
-michal@cihar.com. You can choose to encrypt it using his PGP key
-`9C27B31342B7511D`.
-
-### Django
-
-We're heavily depending on Django for many things (escaping in templates,
-CSRF protection and so on). In case you find vulnerability which is affecting
-Django in general, please report it directly to Django:
-
-https://docs.djangoproject.com/en/dev/internals/security/
+[1]: https://docs.weblate.org/en/latest/contributing.html#security
+[2]: https://hackerone.com/weblate
diff --git a/docs/contributing.rst b/docs/contributing.rst
@@ -47,12 +47,46 @@ You can also specify individual tests to run:
     See `Testing in Django <https://docs.djangoproject.com/en/stable/topics/testing/>`_ 
     for more information on running and writing tests for Django.
 
+Reporting issues
+----------------
+
 Issue tracking
 ++++++++++++++
 
-The issue tracker is hosted on GitHub as well:
+Our issue tracker is hosted at GitHub:
 <https://github.com/WeblateOrg/weblate/issues>
 
+Feel welcome to report any issues or suggestions to improve Weblate there. In
+case you have found security issue in Weblate, please consult section below.
+
+.. _security:
+
+Security issues
++++++++++++++++
+
+In order to give the community time to respond and upgrade we strongly urge you
+report all security issues privately. We're currently using HackerOne to handle
+security issues, so you are welcome to report issues directly at
+<https://hackerone.com/weblate>.
+
+Alternatively you can report them to security@weblate.org, which ends up on
+HackerOne as well.
+
+If you don't want to use HackerOne for whatever reason, you can send the report
+by email to michal@cihar.com. You can choose to encrypt it using his PGP key
+`9C27B31342B7511D`.
+
+.. note::
+
+    We're heavily depending on third party components for many things.  In case
+    you find vulnerability which is affecting those components in general,
+    please report it directly to them.
+
+    See following sites for some of these:
+
+    * `Django <https://docs.djangoproject.com/en/dev/internals/security/>`_
+    * `Django REST Framework <http://www.django-rest-framework.org/#security>`_
+
 Starting with our codebase
 --------------------------