How to get in touch regarding a security concern

Question

How to get in touch regarding a security concern

Closed this issue 3 months ago · 6 comments

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@esmo-ts) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

Answer 1 · 2024-04-07T12:36:10.000Z

Thanks @psmoros for reaching out.

Unfortunately we do not have anything security related setup.

For now please send an email to me (oss-pluggy at soliv.dev) and I will bring up the other maintainers as needed.

Answer 2 · 2024-04-07T15:40:07.000Z

I think pluggy would be eligible for Tidelift incomes. This would also make creating the security process easy (just add a link in security.md)

Answer 3 · 2024-04-07T16:41:09.000Z

That's a good idea @Pierre-Sassoulas.

I applied pluggy for lifting, they will answer in a few days.

Answer 4 · 2024-04-07T17:06:23.000Z

@nicoddemus we ca enable secure incident reporting for the project as well

Answer 5 · 2024-04-07T17:22:15.000Z

Ahh well remembered @RonnyPfannschmidt.

@psmoros you can report it here: https://github.com/pytest-dev/pluggy/security

Answer 6 · 2024-04-10T11:20:34.000Z

Closing this then.