Autorespond security@kubernetes.io -> hackerone?
lukehinds opened this issue · comments
It seems we all agree, someone with a valid vulnerability deserves an award and we make a point of directing them towards hackerone.
With that in mind, would it be worth us having an auto responder to outline this to any new reports:
"Thank you for contacting kubernetes security If you're reporting a security vulnerability, please consider using the hackerone.com/kubernetes bug bounty program where there is an awards program".
My thinking is that everything goes to hackerone for a first triage and free's us up to focus just on the assigned items, rather than a lot of dupes / non issues?
If an auto respond is not possible, we could still perhaps cookie cut a reply?
Cheers,
Luke