Security Contact

[agustingianni]

Dear mantainers,

As part of my work at GitHub's Security Lab, I have identified some security issues in openfortivpn and I would like to know the preferred way of communicating said issues.

Best regards.

[DimitriPapadopoulos]

Is it possible to open hidden issues in GitHub, for maintainers' eyes only?

Otherwise you may contact @mrbaseman and myself @DimitriPapadopoulos directly. I think Martin is using his real email address in GitHub. Do you have access to my real email address (not the @users.noreply.github.com one)?

Hope this helps.

[agustingianni]

Hello Dimitri,

there is a way to create security reports on github but it has to be enabled by mantainers. More information can be found here https://help.github.com/en/github/managing-security-vulnerabilities.

I've tried but I cannot message you nor @mrbaseman directly and also I do not have access to your emails.

You can contact me at agustingianni@github.com if think thats the best option.

[DimitriPapadopoulos]

I'm in the process of adding a Security policy: #537

[DimitriPapadopoulos]

Can we or can you create a draft security advisory that we can share privately?

[agustingianni]

Yes sure, you need to create an advisory (provided you are an admin) and then add me as a collaborator if I'm not mistaken.

Thanks.

[DimitriPapadopoulos]

I have created an advisory and @mrbaseman and @agustingianni have been added as collaborators.

[DimitriPapadopoulos]

@mrbaseman We probably need a mail address to report security issues (mail would currently be forwarded to each of the maintainers). Any clue how to do that?

[mrbaseman]

I have registered for openfortivpn.org
I'm not sure if this domain causes any costs in my private web hosting product that I have anyway, but if so, I'd consider this as a financial contribution from my side to the prject.
In the next days I can set up email addresses and if we want we can also construct a web page or anything we like. I have php and web space anyway.

PS: I'm ill, therefore less responsive these days

[DimitriPapadopoulos]

Please bear with us while we're processing the draft advisory. The most knowledgeable maintainer is currently ill. If he cannot handle this in the next few days I'll look into the draft advisory myself. At first glance it looks clear and valid, of course.

In the meantime:

• I have created a preliminary security policy to enable security advisories.
• @mrbaseman has purchased the openfortivpn.org domain.
• I hope we can have a security@openfortivpn.org mailing list soon. Who do we add to this list?
• We must discuss the security policy. Do we use GitHub advisories to handle security issues ? A benefit is that we get private branches for free to handle the GitHub advisories. An obstacle is that only project admins can create advisories, as far as I can see GitHub does not have the concept of a security team that could create advisories. We must therefore adapt our workflow for security issues, either more admins or advisories are created by the current admin only.

[agustingianni]

Hello again. Sure, take as much time as you need. If you have any questions you can always contact me. I'm still taking a look at the software and I will let you know if I find anything else.

Thanks keeping me updated.

[agustingianni]

Thank you for the great work you did fixing the issues. I think this issue should be closed.
Thanks again.

[mrbaseman]

thank you @agustingianni for reporting your findings and for the fruitful collaboration