Trying to get in touch regarding a security issue

Question

Trying to get in touch regarding a security issue

zidingz opened this issue 3 years ago · 2 comments

Hey there!

I'd like to report a security issue but cannot find contact instructions on your repository.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Answer 1 · 2021-08-18T17:06:29.000Z

This project is a humorous technical proof-of-concept. I am extremely confident that you do not have a legitimate security concern, since no one runs this code in production. For that matter, I'd be surprised if it runs at all. If you feel compelled to report something, feel free to open a public github issue. There's no need for any responsible disclosure or security contact because, again, no one actually uses this code.

Answer 2 · 2021-08-19T13:42:12.000Z

Sorry about that! A user disclosed a CSRF against this repository, but it's out of scope for us since this is a demo project.

Appreciate your time, and love the funky project.