docs: the security list is reached at security at curl.se now

Also update the FAQ section a bit to encourage users to rather submit security issues on hackerone than sending email. Closes #7689
2021-09-09 14:46:38 +02:00 · 2021-09-09 14:46:38 +02:00 · ab2f27cf88
commit ab2f27cf88
parent 60efeb1e0d
2 changed files with 9 additions and 5 deletions
--- a/docs/FAQ
+++ b/docs/FAQ
@ -288,10 +288,14 @@ FAQ
  from having to repeat ourselves even more. Thanks for respecting this.
  If you have found or simply suspect a security problem in curl or libcurl,
-  mail curl-security at haxx.se (closed list of receivers, mails are not
+  submit all the details at https://hackerone.one/curl. On there we keep the
-  disclosed) and tell. Then we can produce a fix in a timely manner before the
+  issue private while we investigate, confirm it, work and validate a fix and
-  flaw is announced to the world, thus lessen the impact the problem will have
+  agree on a time schedule for publication etc. That way we produce a fix in a
-  on existing users.
+  timely manner before the flaw is announced to the world, reducing the impact
  the problem risk having on existing users.
  Security issues can also be taking to the curl security team by emailing
  security at curl.se (closed list of receivers, mails are not disclosed).
  1.9 Where do I buy commercial support for curl?
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@ -91,7 +91,7 @@ announcement.
 - The security web page on the website should get the new vulnerability
  mentioned.
-curl-security (at haxx dot se)
+security (at curl dot se)
 ------------------------------
 This is a private mailing list for discussions on and about curl security