Security Policy: systematically credit reporter

surli · April 29, 2026, 7:32am

Hi everyone,

we apparently never formalized in our process to handle security issues to credit vulnerability reporters, but we are already often doing it. So I propose to add some information in https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/#HSecurityAdvisorytemplateandinformation for this

### Attribution
Ask if the reporter of the vulnerability is ok to be credited and how: provide here the information, and also in Github’s advisory dedicated fields. If the reporter is not member of XWiki/Security pay attention to also add it as collaborator.

wdyt?

tmortagne · April 29, 2026, 7:38am

+1

vmassol · April 29, 2026, 7:45am

+1

I don’t understand the “here”. Isn’t the text you proposed for the template of the advisory?

There’s more than 1 field for this?

Thanks

mleduc · April 29, 2026, 7:46am

+1 thanks

surli · April 29, 2026, 7:47am

Yes it’s a template: so it’s used by copy/pasting it and replacing the text with proper info. Like in reference section we have:

You should list here the JIRA ticket(s) related to this vulnerability[...]

Hmmm I had a doubt but no I think it’s only one.

vmassol · April 29, 2026, 8:02am

ok so we want to have the crediting in 2 places in the advisory (steps 1 and 2 in the screenshot):

in the free text content of the advisory
in the dedicated advisory field

What is the reason? (because the text info is copied in the CVE and there’s no other credit field for that in CVE?)

Also, re the collaborator, I guess it’s step 3 in my screenshot, right?

Thx

surli · April 29, 2026, 8:04am

That, and we also copy the content of the advisory in our own security advisory app. Also, the plain text allows us to provide more info if the reporter wants (e.g. we have cases where reporter wants to be credited with their full name as well as their github username)

yes

MichaelHamann · April 29, 2026, 8:12am

+1 in general

There are other cases:

there are several reporters that reported different aspects of a vulnerability, in this case it wouldn’t be fair to credit them both exactly the same way
there is a project or some funding that should be mentioned like when we had the bug bounty program with Intigriti. I also had a case where the attribution should mention a “project at Oteria Cyber School that was organized by OffenSkill”

In those cases, I don’t see how that should be expressed by the simple credits fields. On the other hand, the credits field is indexed and the advisories, e.g., appear on the profile of the reporter and can be searched. So I think both provide value.

It would be okay for me, though, to omit the attribution in the text content in simple cases, in particular if a vulnerability has been fully reported by a committer.