-
Notifications
You must be signed in to change notification settings - Fork 9
Issue Process
Jason Conroy edited this page Sep 23, 2021
·
1 revision
- Single source of truth: GitHub is the primary source of information for bugs, issues, and work in progress (enhancements).
- Open: Default to open and keep as much conversation in Github as possible.
- Protect private information: Do not include private information anywhere in bug reports, pull requests, comments, commit messages, or the actual code. This includes private URLs that won’t work for everyone.
- Secure: Any vulnerabilities or security issues are reported on a private GitHub mirror repo (dedicated for this purpose only). (See below.)
- Discover the problem, e.g. as part of testing, or raised by a customer in support.
- Understand how the problem impacts the product – what flows are broken? How are users affected?
- Reproduce the issue on a minimal site (WooCommerce + Pinterest + default theme).
- Log an issue in GitHub using the template and providing as much detail as possible.
A private GitHub repository is maintained specifically for handling security issues. This allows these (rare) issues to be addressed using similar processes, while minimising leaking details about the vulnerability until it’s patched.
- Discovery – issue is raised via community, dev team, HackerOne, or a regular (public) issue.
- If issue is logged on an open GitHub repo, delete the issue immediately.
- Open an issue on the private GitHub repo.
- Sync the private repo with the public repo (i.e. update trunk).
- Work to address the issue, communicating regularly with all relevant parties (e.g. keep HackerOne updated with comments, etc).
- All the security fixes should be added to the public repo only right before the fix release.
- Avoid detailed commit messages when adding commits to public repository.