Add a security policy

Question

Add a security policy

JamieSlome opened this issue 2 years ago · comments

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@lethanhtrung22) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

Loïc Hoguin · Answer 1 · Tue Aug 02 2022 15:42:03 GMT+0800 (China Standard Time)

You can send me an email at contact@ninenines.eu if you want.

If this is related to the distribution cookie, please see this comment: #1574 (comment)

Jamie Slome · Answer 2 · Tue Aug 02 2022 18:03:56 GMT+0800 (China Standard Time)

Thanks for the follow-up @essen :)

Happy to create a SECURITY.md with this e-mail address for you 👍

Just for reference, the report can be found directly here:
https://huntr.dev/bounties/ffd5c11f-aec1-476c-823f-0fcca493d179/

It is private and only accessible to maintainers with repository write permissions.

Loïc Hoguin · Answer 3 · Tue Aug 02 2022 18:20:05 GMT+0800 (China Standard Time)

That's exactly the same issue I linked, please read the comment. This is not a security vulnerability in Cowboy, the distribution cookie is meant to separate clusters, not to provide authentication. It is up to product developers to configure, expose or implement restrictions depending on their needs.