I would like to contribute to this, particularly because of my background in resolving security issues in previous professional positions.

@ojongerius can I take this up as a first timer to this repo :)

A leaderboard would be really awesome! I'm currently working on a policy page, just to state the above email.

@Harkaran We would welcome your ideas on this, and anything you're interested in helping build on this.

We now have instructions for security issues in our issue template. We also have a new email address where people can send security issues: [email protected]

So I'm going to close this issue for the time being.

Awesome steps, this makes reporting security issues a lot easier! I think this gh issue is useful for tracking the hall-of-fame side of things, though, (i.e. acknowledgements for security researchers). I therefore think that this could stay open, but of course it's your decision.

@QuincyLarson we have a small mention in the GH template but I do think it would be much better to have a static page about it.

@Harkaran and @joker314 your contributions would be very welcome!

@QuincyLarson happy for this to stay open while it's begin worked on? We can raise another one but that would just be duplication.

Do we put a link into the navbar of each page? In the footer? Force security researchers to guess the URL? I suggest adding a "Contact" page that links to this issue tracker, the email for the team, and the security email, to be useful to the most people. Thoughts?

Also, sorry for not being up to speed, but what happened to all the lessons moving to learn.freecodecamp.org rather than beta.freecodecamp.org? This should give more space for that entry in the navbar.

@joker314 We don't want to clutter our UI with lots of links (we don't even use a footer, and our navigation bar currently only has 3 links in it).

@ojongerius I can create a security web app (I can just fork our https://privacy-policy.freecodecamp.org and deploy the new security.freecodecamp.org app on Netlify).

What do you think the text of this page should be?

I think something based on the below might work quite nicely (below is licenced under CC0, etc. etc.)

FreeCodeCamp is an open-source project that takes protecting our users very seriously. If you think you've found a security vulnerability in our software, please let us know, we want to hear about it!

Contact email: [email protected]

We share your desire to fix issues as quickly as possible, so please give as much information as you can, possibly including screenshots and a list of steps to reproduce the vulnerability on our end.

Please make a good faith effort to avoid destruction of data, degredation of service, and privacy violations.

If you follow these rules, and want to, you can appear on our hall of fame when you submit a valid vulnerability.

Thank you so much for making our users safer!

i can make a page for you, but i don't know how to make a hall of fame or leaderboard. that could be a separate issue for someone.

however i will submit a PR for the security contact page. thank you for making this available to beginners!

i think the best way for me to do this is to submit a Markdown file (i am not very good at coding so it would take me a long time) if that is ok. then you can use that to make it into a webpage or link to it or simply copy and paste the text :)

I'm closing this issue since we have the following copy in our README now:

Found a security issue?

Please don't create GitHub issues for security issues. Instead, please send an email to [email protected] and we'll look into it immediately.

Continuing the conversation here, wondered if there is a plan to include security.txt on the site. LIke freecodecamp.org/security.txt which contains the reporting template above.

It will help prevent emails that are irrelevant or that did not follow the guidelines.