As someone submitting security vulnerabilities, I want up-to-date information about how to do so

[afeld]

Currently, we have a number of paths/documentation:

• #incident-response
• #vuln-disclosure - archived
• https://18f.gsa.gov/vulnerability-disclosure-policy/#reporting-a-vulnerability - says "TTS Bug Bounty is on break"
• [email protected]
• https://hackerone.com/tts

There is definitely overlap - we should consolidate.

• Update the list of URLs in scope, for the Bug Bounty and broadly - cc Determine the source-of-truth inventory of TTS systems #23

cc #31

[afeld]

• Clarify the SLAs

[afeld]

Clarified this issue to be about incident reporting, while #77 is about triaging and response.

[adborden]

https://github.com/18F/bug-bounty is listed as "OUT OF DATE" with a link to this issue. Since bug-bounty is about documenting how to administer the TTS Bug Bounty program, I'm not sure why this issue is related, or why bug-bounty is out of date.

[adborden]

What was the resolution here? https://github.com/18F/bug-bounty still links to this issue. Is there a new doc that should be linked instead?

[its-a-lisa-at-work]

The Public Disclosures of Vulnerabilities site on TTS was updated -- if there are other things that you think need to be addressed, please let me know and we'll create a new card