Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trying to get in touch regarding a security issue #778

Closed
JamieSlome opened this issue Dec 10, 2021 · 12 comments
Closed

Trying to get in touch regarding a security issue #778

JamieSlome opened this issue Dec 10, 2021 · 12 comments

Comments

@JamieSlome
Copy link

Hey there!

I belong to an open source security research community, and a member (@HDVinnie) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)
@driesvints
Copy link
Member

Hi @JamieSlome @HDVinnie, thank you. Feel free to send me an email at hello@laravel.io and I'll get back to you as soon as I can. I'll add a SECURITY.md file as well.

Thanks!

@JamieSlome
Copy link
Author

@driesvints - sorted for you 👍 You should have just received an e-mail.

Otherwise, you can view the private report here:

https://huntr.dev/bounties/5cd5fe0d-b3e1-4de4-816e-8d5af1b6f173/

@HDVinnie
Copy link
Contributor

@driesvints thanks for taking the time to do this. I see you read the report and pushed a fix. Mind validating it on huntr? Once that is done I have another to report.

@driesvints
Copy link
Member

I don't use that site sorry.

@JamieSlome
Copy link
Author

@driesvints - no worries, we can arrange this for you, can you please confirm the commit SHA that addressed the issue?

@driesvints
Copy link
Member

@JamieSlome here: 8dd022f

@JamieSlome
Copy link
Author

@driesvints - thanks for the support! 👍

This report has now been marked as valid. Do you have a version number for the fix?

@driesvints
Copy link
Member

@JamieSlome this is an app, not a package. There's no versioning.

@JamieSlome
Copy link
Author

@driesvints - thanks for the info 😄

@HDVinnie
Copy link
Contributor

@driesvints Thanks again for taking the time to read the disclosure and publish a fix. I do have one more for you if your up for it. I know you said you don't want to use the site so you can just visit the link, read it and then just let @JamieSlome know here that you confirm its a issue and a commit SHA if you decide to fix.

https://huntr.dev/bounties/1e2511a6-ed60-4c6b-8385-0fb6578e68cb

If you no longer wish me to do research bon this app just let me know and I will cease doing so.

Thanks again for taking the time and making this platform for Laravel devs. Im a Lover of Laravel, Livewire and AlpineJS so I can appreciate this.

@driesvints
Copy link
Member

Thanks @HDVinnie, I appreciate it 👍

Feel free to send whatever you have to the email address in the security policy.

@HDVinnie
Copy link
Contributor

Thanks @HDVinnie, I appreciate it 👍

Feel free to send whatever you have to the email address in the security policy.

Sent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@driesvints @HDVinnie @JamieSlome