Security concern

Question

Security concern

JamieSlome opened this issue 2 years ago · 5 comments

Hey there!

I belong to an open source security research community, and a member (@brenu) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Answer 1 · 2022-04-24T20:56:02.000Z

It's at the bottom of the README: https://github.com/diaspora/diaspora#security

Answer 2 · 2022-04-25T13:15:06.000Z

@SuperTux88 - thanks 👍

I have sent an e-mail to the address stated in the README.md. For reference, the report can be found here:
https://huntr.dev/bounties/bcfb6f49-8fbb-4498-a569-89500e23279e/

It is currently private and only accessible to maintainers with repository write permissions...

Answer 3 · 2022-04-26T18:54:12.000Z

I've just submitted a PR to add a dedicated SECURITY.md, as that's best-practice on GitHub, and you're not the first one who missed the section in README.md. :)

Answer 4 · 2022-04-26T19:06:43.000Z

... aaand it's merged into all active branches. Since we're in touch with the security researcher directly, there is no need for this issue right now. Thanks again, @JamieSlome!

Answer 5 · 2022-04-27T12:13:50.000Z

Great @denschub - I have seen your comments on the report - really appreciate your diligence!

Once you are ready with a fix, feel free to confirm it against the report 👍