Author: lukaszlenart Date: Sat Jun 7 09:40:12 2014 New Revision: 1601081 URL: http://svn.apache.org/r1601081 Log: Adds info and note about Google's patch reward program
Modified: struts/site/trunk/content/index.html struts/site/trunk/content/submitting-patches.html struts/site/trunk/source/index.html struts/site/trunk/source/submitting-patches.md Modified: struts/site/trunk/content/index.html URL: http://svn.apache.org/viewvc/struts/site/trunk/content/index.html?rev=1601081&r1=1601080&r2=1601081&view=diff ============================================================================== --- struts/site/trunk/content/index.html (original) +++ struts/site/trunk/content/index.html Sat Jun 7 09:40:12 2014 @@ -129,9 +129,10 @@ <a href="http://struts.apache.org/release/2.3.x/docs/version-notes-23163.html";>Version notes</a> </div> <div class="col-md-4"> - <h2>Struts up to 2.3.16.1: Zero-Day Exploit Mitigation!</h2> - <p>In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, - the correction wasn't sufficient, <a href="announce.html#a20140424">read more</a> + <h2>Google's Patch Rewards program</h2> + <p>During <a href="http://www.meetup.com/sfhtml5/";>SFHTML5</a> Google announced that they extend their program + to cover the Apache Struts project as well. Now you can earn some many preparing patches for us! + <a href="submitting-patches.html#patch-reward">read more</a> </p> </div> <div class="col-md-4"> Modified: struts/site/trunk/content/submitting-patches.html URL: http://svn.apache.org/viewvc/struts/site/trunk/content/submitting-patches.html?rev=1601081&r1=1601080&r2=1601081&view=diff ============================================================================== --- struts/site/trunk/content/submitting-patches.html (original) +++ struts/site/trunk/content/submitting-patches.html Sat Jun 7 09:40:12 2014 @@ -182,6 +182,34 @@ your fork and branch to compare the diff <li><a href="http://wiki.apache.org/general/GitAtApache";>Git at Apache</a></li> </ul> +<h1><span id="patch-reward">Google's Patch Reward program</h1> + +<p>During <a href="http://www.meetup.com/sfhtml5/";>SFHTML5</a> Google announced that they adding the Apache Struts project to +<a href="https://www.google.com/about/appsecurity/patch-rewards/";>the Google's Security Patch Reward Program</a>.</p> + +<p>What does it mean?</p> + +<p>If you prepared a patch that eliminates a security vulnerability or improves existing security mechanism +you can get a bounty :-) You will find more details on +<a href="http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html";>the Google's blog</a> + or under the link above, just to give you a quick guideline how does it work:</p> + +<ul> +<li>prepare a patch and submit it to our <a href="https://issues.apache.org/jira/browse/WW";>JIRA</a>, +it can be a Pull Request on GitHub as well, but must reference the JIRA ticket.</li> +<li>let us know that you did something great, post a message to <a href="dev-mail.html">Struts Dev mailing list</a></li> +<li>we will review the patch and if it's a real great thing then we will merge it into our code base</li> +<li>just wait on official release of the Apache Struts and now you can request the reward from Google :-)</li> +</ul> + +<p><strong>NOTE</strong></p> + +<p>If you are concerned that your patch can disclose a security vulnerability, instead of submitting it as a ticket, +send it directly to the <a href="mailto:secur...@struts.apache.org";>Struts Security team</a>. This will give us the possibility +to prepare a new release with your patch in secret.</p> + +<p>Have fun and code!</p> + </section> </article> Modified: struts/site/trunk/source/index.html URL: http://svn.apache.org/viewvc/struts/site/trunk/source/index.html?rev=1601081&r1=1601080&r2=1601081&view=diff ============================================================================== --- struts/site/trunk/source/index.html (original) +++ struts/site/trunk/source/index.html Sat Jun 7 09:40:12 2014 @@ -26,9 +26,10 @@ title: Welcome to the Apache Struts proj <a href="http://struts.apache.org/release/2.3.x/docs/version-notes-{{ site.current_version_short }}.html">Version notes</a> </div> <div class="col-md-4"> - <h2>Struts up to 2.3.16.1: Zero-Day Exploit Mitigation!</h2> - <p>In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, - the correction wasn't sufficient, <a href="announce.html#a20140424">read more</a> + <h2>Google's Patch Rewards program</h2> + <p>During <a href="http://www.meetup.com/sfhtml5/";>SFHTML5</a> Google announced that they extend their program + to cover the Apache Struts project as well. Now you can earn some many preparing patches for us! + <a href="submitting-patches.html#patch-reward">read more</a> </p> </div> <div class="col-md-4"> Modified: struts/site/trunk/source/submitting-patches.md URL: http://svn.apache.org/viewvc/struts/site/trunk/source/submitting-patches.md?rev=1601081&r1=1601080&r2=1601081&view=diff ============================================================================== --- struts/site/trunk/source/submitting-patches.md (original) +++ struts/site/trunk/source/submitting-patches.md Sat Jun 7 09:40:12 2014 @@ -77,3 +77,29 @@ Finally hit `Create Pull Request` button ## Further reading * [Git at Apache](http://wiki.apache.org/general/GitAtApache) + +# <span id="patch-reward">Google's Patch Reward program + +During [SFHTML5](http://www.meetup.com/sfhtml5/) Google announced that they adding the Apache Struts project to +[the Google's Security Patch Reward Program](https://www.google.com/about/appsecurity/patch-rewards/). + +What does it mean? + +If you prepared a patch that eliminates a security vulnerability or improves existing security mechanism +you can get a bounty :-) You will find more details on +[the Google's blog](http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html) + or under the link above, just to give you a quick guideline how does it work: + +- prepare a patch and submit it to our [JIRA](https://issues.apache.org/jira/browse/WW), + it can be a Pull Request on GitHub as well, but must reference the JIRA ticket. +- let us know that you did something great, post a message to [Struts Dev mailing list](dev-mail.html) +- we will review the patch and if it's a real great thing then we will merge it into our code base +- just wait on official release of the Apache Struts and now you can request the reward from Google :-) + +**NOTE** + +If you are concerned that your patch can disclose a security vulnerability, instead of submitting it as a ticket, +send it directly to the [Struts Security team](mailto:secur...@struts.apache.org). This will give us the possibility +to prepare a new release with your patch in secret. + +Have fun and code!