Trying to get in touch regarding a security issue

Question

Trying to get in touch regarding a security issue

JamieSlome opened this issue 3 years ago · 4 comments

Hi there,

I couldn't find a SECURITY.md in your repository and am not sure how to best contact you privately to disclose a security issue.

Can you add a SECURITY.md file with an e-mail to your repository, so that our system can send you the vulnerability details? GitHub suggests that a security policy is the best way to make sure security issues are responsibly disclosed.

Once you've done that, you should receive an e-mail within the next hour with more info.

Thanks! (cc @huntr-helper)

Answer 1 · 2021-07-10T21:03:34.000Z

Hey @JamieSlome, thanks for the heads up! I'll check with Brave's security team about what I should use here as a SECURITY.md, but in the meantime you should be able to refer to the one from the brave-browser repo.

Answer 2 · 2021-07-10T23:17:05.000Z

I've just added SECURITY.md to the repository.

Answer 3 · 2021-07-20T22:05:50.000Z

@JamieSlome any updates on the security issue?

Answer 4 · 2021-07-21T08:11:14.000Z

@antonok-edm - you can view the advisory here.

It was marked as invalid as our program does not accept non-code level vulnerabilities, but feel free to use the page for your reference.