Security concern
JamieSlome opened this issue · 5 comments
Hey there!
I belong to an open source security research community, and a member (@brenu) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
It's at the bottom of the README: https://github.com/diaspora/diaspora#security
@SuperTux88 - thanks 👍
I have sent an e-mail to the address stated in the README.md
. For reference, the report can be found here:
https://huntr.dev/bounties/bcfb6f49-8fbb-4498-a569-89500e23279e/
It is currently private and only accessible to maintainers with repository write permissions...
I've just submitted a PR to add a dedicated SECURITY.md
, as that's best-practice on GitHub, and you're not the first one who missed the section in README.md
. :)
... aaand it's merged into all active branches. Since we're in touch with the security researcher directly, there is no need for this issue right now. Thanks again, @JamieSlome!
Great @denschub - I have seen your comments on the report - really appreciate your diligence!
Once you are ready with a fix, feel free to confirm it against the report 👍