Bug: Missing PGP Pubkey in SECURITY.md

[kkarhan]

What happened?

The SECURITY.md file does not contain a Public Key for secure communications.

Fix:

• Please add a PGP Pubkey in ASCII Armoured format like:

-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----

• and Fingerprint to it.

Platform

• Chrome (or Chromium based)
• Firefox
• Safari
• Other desktop browser
• Android browser
• iOS browser
• Electron app
• Android mobile app
• iOS mobile app
• Custom app using a mobile SDK

Browser / app / sdk version

Firefox 132.0.1 (amd64)

Relevant log output

No response

Reproducibility

• The problem is reproducible on meet.jit.si

More details?

This is security-related, abeit not a security incident, but may inconvenience responsible disclosure.

[saghul]

We don't use GPG in the team in a widespread manner so it'd have created more friction for researchers to reach out ot us.

Please reach out via plaintext email and we'll be happy to move the conversation to a more secure channel if need be.

[kkarhan]

For security reasons alone, I do expect basic standards like security.txt aka. RFC9116 to be implemented.

• If you need help getting said security infrastructure setup I'm open for offers.

• Using insecure channels to communicate is inherently bad and setting up PGP is trivial, as it deploying, updating and redistributing said public and private keys.

Also please reopen the issue!

[saghul]

Do you have an actual report to make?

We have been coordinating with security people for years,
there are ways other than PGP.

I find it ironic you chose to ignore our SECURITY.md file which you did read since you mentioned it in your initial message.

If you actually have a report to make please follow what's outlined there.

[kkarhan]

As a matter of security, I'll not communicate anything related to security through insecure channels - period!

There is no excuse for not having a keypair for that at hand!

• It's 2024 and Tails has been out for over a decade, Kleopatra and other tools make it absolutely trivial to create keys and even Thunderbird supports PGP/MIME out of the box for quite some time.

If you need help with setting it up (among multiple developers) I'm open for that.

• But most "other ways" do not allow for proper E2EE with full self-custody of all the keys.

[saghul]

As a matter of security, I'll not communicate anything related to security through insecure channels - period!

Then I'm afraid this conversation is over.

You seem to be more interested in satisfying your own needs than to working with us in disclosing security problems.

If you want to collaborate with us, please read SECURITY.md and get in touch through one of the listed ways, a GH issue is not one of them.