This is going to be a bit broad, but I think it's worth discussing, even with the Needs more focus line.
The general guidance for reporting security issues for Stack Internal (formerly Stack Overflow for Teams) is on this page:
Report a Security Issue
Found a security vulnerability? Contact your administrator!
[...] If you believe you've discovered a security issue that may affect other users, report it so we can investigate and correct the problem.
Do not post reports of security vulnerabilities on the site. Contact your site administrator directly instead. Include as much information as you can about the issue and detailed instructions for how to reproduce it.
There's a few thoughts I have with this:
- Why is it preferable to go through the admin over contacting SE directly?
- As an admin, if a user reports a vulnerability to me, where can I find guidance on my next steps? Should I raise a high/urgent-priority ticket? Use the contact form? Something else?
- Can the Stack Internal security overview page have a link to that guidance?
Specifically, would it be possible for someone to clarify the guidance there?
