Request For Security Contact
RedYetiDev opened this issue · comments
Hi! I'm a security researcher, and I may have found a vulnerability in this project. I was wondering if you had a security contact?
I know it's been mentioned before, but I wanted to make sure I was getting the most up-to-date information.
I wanted to make sure I was getting the most up-to-date information.
I'm sure nothing has changed. You can email me (Oscar Benjamin - email is in the AUTHORS file). I will reply CCing other people.
Should we set up one of the things here? https://github.com/sympy/sympy/security
Should we set up one of the things here? https://github.com/sympy/sympy/security
@RedYetiDev would you have used one of those things if it were enabled?
We apparently have
Private vulnerability reporting • Disabled
but that could be changed. I don't know if that is actually a useful mechanism though.
Yes, I would've. My order of resolving is usually
- Check SECURITY.md
- Check private reporting
- Request contact
I'd suggest setting up a security policy that tells users to use GitHub private reporting