Home Explore Help
Sign In
iProspective
/
dolibarr
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Update SECURITY.md

UT from dolibit 3 years ago
parent
636188f28a
commit
6003a93f0d
1 changed files with 4 additions and 4 deletions
Split View Show Diff Stats
  1. 4 4
      SECURITY.md

+ 4 - 4
SECURITY.md
View File 

@@ -17,7 +17,7 @@ Alternatively send an email to security@dolibarr.org (for everybody)
 
 
 ## Hunting vulnerabilities on Dolibarr
 
 
-We believe that future of software is online SaaS. This means software are more and more critical and no technology is perfect. Working with skilled security researchers is crucial in identifying weaknesses in our technology.
 
+We believe that the future of software is online SaaS. This means software are more and more critical and no technology is perfect. Working with skilled security researchers is crucial in identifying weaknesses in our technology.
 
 
 If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
 
 
@@ -35,13 +35,13 @@ You can install the web application yourself on your own platform/server so you
 
 
 ## Eligibility and Responsible Disclosure
 
 
-We are happy to thank everyone who submits valid reports which help us improve the security of Dolibarr however, only those that meet the following eligibility requirements will be "validated reports" (if not, we may close the report without any answer):
 
+We are happy to thank everyone who submits valid reports which help us improve the security of Dolibarr, however only those that meet the following eligibility requirements will be "validated reports" (if not, we may close the report without any answer):
 
 
 You must be the first reporter of the vulnerability (duplicate reports are closed).
 
 
 You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
 
 
-You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second), that's why we recommand to install softwate on your own platform.
 
+You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second), that's why we recommand to install software on your own platform.
 
 
 You must not leak, manipulate, or destroy any user data of third parties to find your vulnerability.
 
 
@@ -56,7 +56,7 @@ ONLY vulnerabilities discovered, when the following setup on test platform is us
 
 * The module DebugBar and ModuleBuilder must NOT be enabled (by default, these modules are not enabled. They are developer tools)
 
 * ONLY security reports on modules provided by default and with the "stable" status are valid (troubles into "experimental", "developement" or external modules are not valid vulnerabilities).
 
 * The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer).
 
-* The web server setup must be done so only the documents directory is in write mode. The root directory called htdocs must be readonly.
 
+* The web server setup must be done so that only the documents directory is in write mode. The root directory called htdocs must be read-only.
 
 * CSRF attacks are accepted but double check that you have set MAIN_SECURITY_CSRF_WITH_TOKEN to value 3.
 
 * Ability for a high level user to edit web site pages into the CMS by including HTML or Javascript is an expected feature. Vulnerabilities into the website module are validated only if HTML or Javascript injection can be done by a non allowed user.