How to get in touch regarding a security concern
Closed this issue ยท 6 comments
Hello ๐
I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@esmo-ts) has found a potential issue, which I would be eager to share with you.
Could you add a SECURITY.md
file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.
Looking forward to hearing from you ๐
(cc @huntr-helper)
Thanks @psmoros for reaching out.
Unfortunately we do not have anything security related setup.
For now please send an email to me (oss-pluggy at soliv.dev) and I will bring up the other maintainers as needed.
I think pluggy would be eligible for Tidelift incomes. This would also make creating the security process easy (just add a link in security.md)
That's a good idea @Pierre-Sassoulas.
I applied pluggy
for lifting, they will answer in a few days.
@nicoddemus we ca enable secure incident reporting for the project as well
Ahh well remembered @RonnyPfannschmidt.
@psmoros you can report it here: https://github.com/pytest-dev/pluggy/security
Closing this then.