Merge pull request #3465 from 10up/chore/security-docs

Patchstack Vulnerability Disclosure Program
10up · May 19, 2023 · 6a07614 · 6a07614
2 parents 0482ee7 + 9f63211
commit 6a07614
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -14,9 +14,9 @@ ElasticPress, a fast and flexible search and query engine for WordPress, enables
 
 ## Documentation
 
-ElasticPress has an in depth documentation site. [Visit the docs ☞](https://10up.github.io/ElasticPress/)
-
-ElasticPress FAQs and tutorials can be found on our support site. [Visit the support site ☞](https://elasticpress.zendesk.com/hc/en-us)
+* [Docs website ☞](https://10up.github.io/ElasticPress/)
+* [Support site with FAQs and tutorials ☞](https://elasticpress.zendesk.com/hc/en-us)
+* [Security Policy ☞](https://github.com/10up/ElasticPress/blob/develop/SECURITY.md)
 
 ## Requirements and Compatibility
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -6,20 +6,12 @@ The following versions of this project are currently being supported with securi
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 3.6.0   | :white_check_mark: |
-| 3.5.6   | :white_check_mark: |
-| <3.5.5  | :x:                |
+| 4.5.0   | :white_check_mark: |
+| <4.4.1  | :x:                |
 
 ## Reporting a Vulnerability
 
-To report a security issue please email details to opensourcesecurity@10up.com with a descriptive subject line.  This account is monitored by a small team within 10up.  In addition, please include the following information along with your report:
-
-- Your name and affiliation (if any).
-- A description of the technical details of the vulnerability.  It is very important to let us know how we can reproduce your findings.
-- An explanation who can exploit this vulnerability, and what they gain when doing so -- write an attack scenario.  This will help us evaluate your report quickly, especially if the issue is complex.
-- Whether this vulnerability is public or known to third parties.  If it is, please provide details.
-
-If you believe that an existing (public) issue is security-related, please send an email to opensourcesecurity@10up.com.  The email should include the issue ID and a short description of why it should be handled according to this security policy.
+You can report any security bugs found in the source code of ElasticPress through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/elasticpress). The Patchstack team will assist you with verification, CVE assignment and take care of notifying the developers of this plugin.
 
 ## Responding to Vulnerability Reports
 

diff --git a/readme.txt b/readme.txt
@@ -53,6 +53,10 @@ If you have identified a bug or would like to suggest an enhancement, please ref
 
 If you are an ElasticPress.io customer, please open a ticket in your account dashboard. If you need a custom solution, we also offer [consulting](https://www.elasticpress.io/elasticpress-consulting/).
 
+= Where do I report security bugs? =
+
+You can report any security bugs found in the source code of ElasticPress through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/elasticpress). The Patchstack team will assist you with verification, CVE assignment and take care of notifying the developers of this plugin.
+
 = Is ElasticPress compatible with OpenSearch or Elasticsearch X.Y? =
 
 ElasticPress requirements can be found in the [Requirements section](https://github.com/10up/ElasticPress#requirements) of our GitHub repository. If your solution relies on a different server or version, you may find additional information on our [Compatibility documentation page](https://10up.github.io/ElasticPress/tutorial-compatibility.html).