Hey there!

I belong to an open source security research community, and a member (@wjddnjs33) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Hey! Thanks for letting me know, I created SECURITY.md

@eilrix - thanks for your support!

You should have received an e-mail about 9 hours ago!

For reference, you can view the report here. It is private and only accessible to maintainers with repository write permissions.

@JamieSlome for some reason I haven't received email. Are you sure it was security@cromwellcms.com ? I checked, my email service is working.

I looked at the report, thanks!
I left a comment on my report, I'm not sure to approve or reject. Is there any way to change status "Awaiting review" without pressing approve/reject?

Btw huntr.dev looks great, very helpful service!

@eilrix - ah, I can see what happened. Looks like a bug on our side - apologies!

Happy you have found your way to the report nonetheless! The approve/reject buttons change the status specifically. If you mark as invalid, it will become public and be marked as invalid. If you mark as valid, it will move to awaiting fix.

Let me know if you have any further questions and happy to help 👋

@eilrix - I have sent the e-mail over to the security e-mail again, just for completeness 😄

@JamieSlome alrighty, I got the email with my magic link :)