Remove security e-mail addresses #2179
Conversation
The web interface is preferred for security (HTTP via TLS vs. possibly unencrypted e-mail), and using the e-mail addresses requires that the web interface be used to finalize reports. As such, just remove the security e-mail addresses entirely and only refer to the HackerOne web interface.
ghost
self-requested a review
|
@nodejs/security-wg |
Remove email for the Chinese version
|
Added ja version e-jigsaw@97a6332 |
|
While I would like to provide more alternatives for researchers to report issues, as it currently stands, even if you send an email you actually need to follow-up with a login to H1 to submit the report, which is why I agree with this PR clearly promoting the H1 program instead of the e-mail which may provide less than obvious user experience. |
|
Seems reasonable to me, @nodejs/security , any objections? |
|
I guess not given the current situation; although I'm not thrilled about how we're forcing reporters to funnel everything through a platform they may not want to interact with. If I look up a store in my local area and they insist on making me use Facebook to see further information about them, most of the time I'll just move on. If the Linux Foundation helpdesk wants me to use JIRA to interact with them then I'll choose not to interact with them. If I need to use Bugzilla to file a bug report on your project then I'll nope on out of there. Where the transaction cost is higher than the care-factor, reporters will just opt out. |
|
Considering the problems we had in the past, I think this is ok. |
|
@nodejs/nodejs-ko Review please. Just updated to follow changes of security.md. |
|
@yous LGTM |
The web interface is preferred for security (HTTP via TLS vs. possibly unencrypted e-mail),
and using the e-mail addresses requires that the web interface be used to finalize reports.
As such, just remove the security e-mail addresses entirely and only refer to the HackerOne
web interface.
Fixes: nodejs/security-wg#123