Security vulnerabilities in IT systems and applications are becoming more and more of a hot topic these days. Different organizations have different policies regarding the acceptance of volunteer penetration testers’ efforts, and the submission of security vulnerability data.
While I personally do not have immediate plans to go hunting for weaknesses in the Discourse platform, I think the following questions should be answered for anyone who may.
- How does CDCK, Inc. feel about “white hat” penetration testers actively looking for vulnerabilities in the Discourse application or on servers at try.discourse.org?
- How should security vulnerabilities, whether discovered deliberately or incidentally, be reported - should they be posted to Meta.Discourse, or sent to a specific e-mail address?