@aaron triages new reports and addresses the issues himself if they’re in packages where he’s best suited to addressing them. Otherwise he’ll usually reach out to the team member that is best suited to addressing the vulnerability.
Once the vulnerability is addressed, that person makes a comment on the Hackerone report and @aaron awards the bounty.
Desired Outcome
Answers to:
Should we pause the program for a while?
If not, should we redefine/reduce the scope of the program?
Who is responsible for these reports currently?
Who should be responsible for these reports going forward?
Please reply to this forum post with items you would like included on the agenda.
Each item should include:
Item name
Background information: Links to github issues, forum posts, etc with background information on the item
Desired outcome: what decision or deliverable would you like from the discussion of this topic at the meeting?
We’ll save ~10 minutes or so for community questions or comments at the end of the meeting.
I’ll turn proposed items into an agenda prior to the the meeting.
Settings on our engineering meeting got changed in the zoom account which caused a delay in meeting start. The core team members on the call indicated that they’ve all had trouble with the shared zoom accounts and having to use appear.in or alternates for ad hoc meetings and running into video quality issues.
@aaron is the primary person currently response for our hackerone program
He generally pings the person best situated to handle a bug.
Recently, Hackerone introduced new features with SLAs about how fast you’re supposed to respond which is why we received a notice that we weren’t responding quickly enough.