docs: New security reporting policy (#3723)

2025-10-06 03:38:39 +00:00 · 2022-10-17 17:52:49 -04:00
parent a3155ba03c
commit be07984313
1 changed files with 8 additions and 1 deletions
--- a/docs/security.md
+++ b/docs/security.md
@@ -18,4 +18,11 @@ with untrusted inputs; refer to [Options](options.md) for more details.
 The error message thrown by KaTeX may contain unescaped LaTeX source code.
 See [Handling Errors](error.md) for more details.

-> If you discovered a security issue, please let us know via https://hackerone.com/khanacademy
+## Reporting a Vulnerability
+
+If you have discovered a potential security issue with KaTeX:
+
+1. Please report the issue privately by emailing [katex-security@mit.edu](mailto:katex-security@mit.edu).
+2. We will create a [GitHub Security Advisory](https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories) and (if desired) invite you as a collaborator for further discussion about the vulnerability and how to fix them. Please let us know your GitHub.com username so that we can add you.
+3. We will evaluate the vulnerability and, if necessary, release a fix and security advisory. We will credit you in the report.
+4. Please do not disclose the vulnerability publicly until after a fix has been released.