Potential security issue

Question

Potential security issue

psmoros opened this issue a year ago · 5 comments

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@Benasin) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

Answer 1 · 2023-06-10T15:08:39.000Z

That's a good idea! Let me read some docs about GitHub's interface for this. In the meantime, my public email address is posted on my profile (@kurtmckee) and you can send information to me via that route. Thanks!

Answer 2 · 2023-06-23T04:15:16.000Z

Hi guys, are there any updates on the Security Issue?

Answer 3 · 2023-06-23T12:00:39.000Z

Yes, I told you to send an email to my email address.

Answer 4 · 2023-06-23T14:22:21.000Z

Having an official point of contact is super important when someone
finds a vulnerability and wants to responsibly report it.
The "Security" button on GitHub repos shows what a project's
Security Policy is as defined by the Security.md file.

Answer 5 · 2023-06-23T14:25:28.000Z

You are correct, and I haven't implemented it yet. I have responded how this particular issue can be reported in the meantime.