Document how to raise security issues

philwebb · philwebb · commit 2fa057a06ce3 · 2018-05-21T17:07:44.000-07:00
Update contributing documentation and the issue template with instructions on how to report security vulnerabilities. Closes gh-12509
diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
@@ -1,20 +1,20 @@
 <!--
 Thanks for raising a Spring Boot issue. What sort of issue are you raising?
 
-Question
-
+❓Question
 Please ask questions about how to use something, or to understand why something isn't
 working as you expect it to, on Stack Overflow using the spring-boot tag.
 
-Bug report
-
+🐞 Bug report
 Please provide details of the problem, including the version of Spring Boot that you
 are using. If possible, please provide a test case or sample application that reproduces
 the problem. This makes it much easier for us to diagnose the problem and to verify that
 we have fixed it.
 
-Enhancement
+🚨 Security Vulnerability
+STOP!! Please don't raise security vulnerabilities here. Head over to https://pivotal.io/security to learn how to disclose them responsibly.
 
+🎁 Enhancement
 Please start by describing the problem that you are trying to solve. There may already
 be a solution, or there may be a way to solve it that you hadn't considered.
--->
+-->
diff --git a/CONTRIBUTING.adoc b/CONTRIBUTING.adoc
@@ -25,6 +25,14 @@ problem.
 
 
 
+== Reporting Security Vulnerabilities
+If you think you have found a security vulnerability in Spring Boot please *DO NOT*
+disclose it publicly until we've had a chance to fix it. Please don't report security
+vulnerabilities using GitHub issues, instead head over to https://pivotal.io/security and
+learn how to disclose them responsibly.
+
+
+
 == Sign the Contributor License Agreement
 Before we accept a non-trivial patch or pull request we will need you to
 https://cla.pivotal.io/sign/spring[sign the Contributor License Agreement].
