Open
Description
Describe the issue linked to the documentation
Issues
- The project receives reports from huntr that are not useful.
- The reports from huntr are time consuming and use up limited maintainer resources.
Discussion / Proposal
- Update our SECURITY.md file to indicate how we are dealing with huntr reports
- Direct security reporters to provide more detailed information on security vulnerability including proof of concept (POC) and proof of impact (POI)
- Once POC and POI is established, can direct people to report issue via the GitHub Security Advisory: https://github.com/scikit-learn/scikit-learn/security/advisories/new
- Remove scikit-learn from the huntr bug bounty program
Proposed text for huntr reports
Draft text for huntr submissions:
The scikit-learn project is not reviewing reports submitted to huntr. Please use our SECURITY.md to submit reports. For security reports, provide both a POC (proof of concept) and POI (proof of impact). If your report is deemed impactful, you can then report it to huntr to collect a bounty.
References
Suggest a potential alternative/fix
No response