Private reporting of a potential security vulnerability

Question

Sim4n6 opened this issue 3 years ago · 6 comments

Dear rails-html-sanitizer team,

I have identified a security vulnerability in the codebase of the latest version of rails-html-sanitizer.

I would like to report it privately. Could you please consider opting-in the new Github feature for private reporting.

Kind consideration
@Sim4n6

Answer 1 · 2023-01-06T06:42:25.000Z

Answer 2 · 2023-01-06T14:34:36.000Z

Hi! Thanks for asking about our security policy. It's documented in the README:

Because this project is under the Rails umbrella, you should report security concerns following this policy: https://rubyonrails.org/security

We use Hackerone, here's the deeplink: https://hackerone.com/rails

Answer 3 · 2023-01-06T14:57:46.000Z

Thank you for your response.

Answer 4 · 2023-01-06T15:08:06.000Z

Sorry about that, but I'm a bit lost.

Do you suggest please that I initially submit the report via https://hackerone.com/rails?type=team or do I proceed via https://hackerone.com/ibb?type=team , please ?

Regards,
@Sim4n6

Answer 5 · 2023-01-06T15:16:16.000Z

Answer 6 · 2023-01-07T22:38:30.000Z

Thank you.