Request For Security Contact

Question

RedYetiDev opened this issue 13 days ago · comments

Hi! I'm a security researcher, and I may have found a vulnerability in this project. I was wondering if you had a security contact?

I know it's been mentioned before, but I wanted to make sure I was getting the most up-to-date information.

Oscar Benjamin · Answer 1 · Fri Jun 14 2024 06:36:30 GMT+0800 (China Standard Time)

I wanted to make sure I was getting the most up-to-date information.

I'm sure nothing has changed. You can email me (Oscar Benjamin - email is in the AUTHORS file). I will reply CCing other people.

Aaron Meurer · Answer 2 · Fri Jun 14 2024 06:49:23 GMT+0800 (China Standard Time)

Should we set up one of the things here? https://github.com/sympy/sympy/security

Oscar Benjamin · Answer 3 · Fri Jun 14 2024 07:08:34 GMT+0800 (China Standard Time)

Should we set up one of the things here? https://github.com/sympy/sympy/security

@RedYetiDev would you have used one of those things if it were enabled?

We apparently have

Private vulnerability reporting • Disabled

but that could be changed. I don't know if that is actually a useful mechanism though.

Aviv Keller · Answer 4 · Fri Jun 14 2024 08:02:37 GMT+0800 (China Standard Time)

Yes, I would've. My order of resolving is usually

I'd suggest setting up a security policy that tells users to use GitHub private reporting