A distro for Security Vulnerability reporting

Discuss ideas and suggestions around the Church website.
Post Reply
quiott
New Member
Posts: 1
Joined: Wed Apr 03, 2019 3:10 pm

A distro for Security Vulnerability reporting

#1

Post by quiott »

https://hackerone.com/the_lds_church

Hacker One maintains a directory of entities and their vulnerability disclosure policies. I think that there should be a publicly available email distro to which reports could be sent so a page like this can have something here.

The same goes for:

https://hackerone.com/brigham_young_university

and

https://hackerone.com/familysearch

What think ye?
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: A distro for Security Vulnerability reporting

#2

Post by russellhltn »

I'm sure if you left something via the Feedback link on the main page, it would get a response.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
mevans
Senior Member
Posts: 2049
Joined: Tue May 22, 2012 1:52 pm
Location: California, USA

Re: A distro for Security Vulnerability reporting

#3

Post by mevans »

russellhltn wrote:I'm sure if you left something via the Feedback link on the main page, it would get a response.
While it might get a response, I'm not entirely certain it would be a useful response. Feedback goes to volunteers who seem to have varied technical understanding. There seems to be a default "clear your browser cache/restart your browser" reply they give when they really don't understand your issue. Sometimes you have to go back and forth a few times and your issue may get escalated to someone who understands things better. These are individuals who are trying their best to help, but sometimes aren't prepared to handle matters at a more technical level. I could be wrong. Maybe if a Feedback submission mentions security, volunteers are trained to forward it to someone with appropriate skills to assess the situation. It's just that my experience with Feedback is very mixed.

I found a security vulnerability sometime in the past year and didn't think Feedback would be the right way to get it to someone who would understand. Since I'm on the forums a lot, I'm aware of some church employees who participate in the forums on a regular basis and I sent a private message to an individual who I believed would understand the matter. The individual responded and submitted it to the appropriate team. I agree it would be preferable to have a proper way to report security issues.
christensencla
New Member
Posts: 1
Joined: Tue Jul 06, 2021 9:47 am

Re: A distro for Security Vulnerability reporting

#4

Post by christensencla »

You can submit discovered vulnerabilities at: https://churchofjesuschrist.org/informationsecurity.

There's no bounty program, but if you find a vulnerability you can get it into the right hands.
Post Reply

Return to “Main Church Website”