Create SECURITY.md #1997
Comments
|
Hi @JamieSlome, thank you. If you plan to report issues found by a fuzzer, our preference is that you open a public issue. Otherwise feel free to send us an email at security@gpac.io. We'll discuss among maintainers about adding the SECURITY.md file. Github recommendations seem more complete than last time I checked, thanks for the link. |
|
added SECURITY.md with basic info |
|
Hello, @rbouqueau @aureliendavid for the responses! You should have received multiple e-mails to the address you added to your For reference, the reports are: https://huntr.dev/bounties/e055098a-5909-4bec-8b7f-ab0dbb703dbf/ All reports are private and can only be accessed by the magic link sent in the e-mails, or you can view the reports if you have repository write permissions. |
|
Hello @JamieSlome Happy new year! Can the magic links you sent us by email made public if we'd like to? |
|
@rbouqueau - a happy new year to you too! 🎉 The magic links are not to be shared, as they provide maintainer controls which should only be used by maintainers or contributors with write permissions. If you would like the reports to be public, we can arrange this for you. LMK ❤️ |
|
On our wishlist it would ideal if we could change the visibility of the report once we have internally reviewed it. Even better: once we change the visibility to public, it becomes a github public issue! Thanks again! |
|
@rbouqueau - awesome ideas and we would love to keep them tracked! I'd love to invite you to create an issue on our GitHub repo: https://github.com/418sec/huntr/issues/new Tell us about your feature request and a member from our team will get round to responding! Just to confirm, would you like me to make the reports publicly visible now? 🤝 |
|
Done. Thank you so much! |
|
@rbouqueau - looks like the e-mails went out but they soft-bounced. Can you confirm if you have received the magic URLs? |
|
we've received the emails but some addresses on our list are misconfigured so might bounce it is being fixed atm |
|
@JamieSlome Thanks for touching base. This just confirms that dealing with emails for an entity like us is not efficient. I think the text in the security.md makes it clear. I hope your organization will be able to implement 418sec/huntr#2188! FYI see #2050 #2051 and #2052 for the issue that your community raised. |
|
@rbouqueau - thanks for the update. Will just (cc) @psmoros into this conversation for tracking purposes of the demand for the feature request. |
|
@JamieSlome Once the issues are fixed, what is expected from us on your platform? |
|
I've marked issues as confirmed and fixed on huntr.dev using the magic links |
|
@aureliendavid thanks 👋 That is all now! |
Hey there!
I belong to an open source security research community, and a member (@AiDaiP) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a
SECURITY.mdfile with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
The text was updated successfully, but these errors were encountered: