Process for Reporting Security Vulnerabilities

Question

Process for Reporting Security Vulnerabilities

4cad opened this issue 5 years ago · comments

What is the best way to report security bugs to your project? It is a generally good practice to avoid public issue trackers if possible when reporting vulnerabilities, but I cannot find any alternatives in your project documentation.

Thanks,
Dane

László Langó · Answer 1 · Wed Jun 19 2019 15:46:02 GMT+0800 (China Standard Time)

CC: @daeyeon @haesik

4cad · Answer 2 · Tue Jun 25 2019 11:38:06 GMT+0800 (China Standard Time)

Any thoughts on this? I would prefer not to sit on vulnerabilities for too long after their discovery.

Akos Kiss · Answer 3 · Thu Jun 27 2019 16:02:37 GMT+0800 (China Standard Time)

@4cad Hi Dane, the project has no official private channels at the moment. You can track down my email address from my profile page and I might try and give a feedback whether to publicly report the vulnerability or not, but that's far from official. (Or you might try that with any of the other maintainers.)

4cad · Answer 4 · Fri Jun 28 2019 20:35:52 GMT+0800 (China Standard Time)

@akosthekiss Sounds good - I will give you a ping tonight with the details.

Akos Kiss · Answer 5 · Wed Jul 03 2019 21:50:13 GMT+0800 (China Standard Time)

Issue discussed with @4cad via email. Closing this issue for now.