Who to contact for security issues
zidingz opened this issue · 4 comments
Hey there!
I belong to an open source security research community, and a member (@ShellInjector) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
Hi @zidingz, I'm creating a security advisory under my own fork of Parsedown. I'll invite both you and @ShellInjector to access it. (Unfortunately I am not able to create one here as it is a personal repo, which I think only permits one admin/owner).
Please feel free to disclose the information there, or otherwise post it here if you prefer to do full-disclosure in the open.
Thanks also for highlighting the missing SECURITY.md, I'll see what I can do for improving the contact process.
@aidantwoods - I see that you commented on one of our reports, requesting access.
Seeing as you maintainer your own fork, it might be worthwhile @ShellInjector, disclosing the report against the forked version of Parsedown instead (which @aidantwoods maintains).
Our system currently only grants access to the user that maintainers a repository, unless the repository is an organization of course.
@ShellInjector @aidantwoods - does this work for you both?
That works for me!
Any updates!