We are in the process of setting up a Vulnerability Disclosure Program with BugCrowd. Reports will be received via a submission form, which we need to embed on a new page on moodle.org. The page layout will include a brief (HTML or markup that will list things like our goal, expectations and scope), followed by the embedded submission form (embeds using <script> tags).
Next steps are:
- Discuss requirements / implementation with Helen Foster and David Mudrák (@mudrd8mz) .
- Determine a URL for the page (I would suggest we use something like /security/report, /security-report or /responsible-disclosure, and do not refer to "bugcrowd" by name in the URL, so it doesn't need to change if we switch providers).
- We are awaiting feedback from BugCrowd on our draft brief. Once that is finalised, publish the page with brief and embedded submission form.
Some examples of other companies' pages (provided by BugCrowd) include:
- https://stage.buildxact.com/responsible-disclosure/ - closely matches the format of our draft brief.
- https://branch.io/security/report/ (click "Submit a report to see the brief etc).