No response for reported security issue for a month
viters opened this issue ยท 4 comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
The security policy states:
Please report (suspected) security vulnerabilities to security@ory.sh. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
I have reported potential security vulnerability in Oathkeeper v0.40.1 by sending email to security@ory.sh on 18 Jan 2023 and bumped it on 23 Jan 2023 and I have not received response till today.
It would be useful to receive the response even if you do not consider my report a security vulnerability, so I could turn it into GitHub issue and someone could fix it with PR.
Version
0.40.1
Hey @viters, sorry about that. We do get reports to security@ory.sh on a weekly basis (most of them are invalid) but we do reply within 24 hours. @vinckr can you check if @viters emails end up in Spam maybe?
Regarding the report, can you try sending me an email again to aeneas@ory.sh
Hello @viters
Apologies for that, as Aeneas pointed out above we do get a lot of spam on that address.
But I was not able to find any incoming Email on the 18.01. or 23.01.
Also nothing from viters or the email listed in your gh profile @viters.
If the messages ended up in spam - which seems the only reasonable explanation by now - they are deleted by now....
Please also include me in the report vincent@ory.sh and feel free to let us know here when you sent it,
thanks ๐
@aeneasr @vinckr
Thanks for response! That was my thought, but I could not find other way to reach you rather than GitHub issue.
This is the summary from Gmail (in polish, sorry I could not quickly find lang switch) to confirm that it looked right from my side. Maybe it is because email contains code, screens and some text that could be marked as malicious and was blocked?
Thanks for direct contact to you! I will resend the email. If it does not reach you, I can try to attach the description in some other form, rather than writing it in the email's content.
Maybe it is because email contains code, screens and some text that could be marked as malicious and was blocked?
Hard to say bc the original email was deleted, but we received the new one without any problems...
Thanks for reaching out and working to make Ory more secure ๐