Security vulnerability + preferred disclosure channel

[obi1kenobi]

I discovered a serious security vulnerability in the client, and in the spirit of responsible disclosure, I was hoping to discuss it privately with the maintainers of this project. However, I was not able to find a contact email address of any kind for either @mogui or @Ostico , and I'm unaware of any other maintainers with admin access to the repo.

I didn't want to simply open a pull request with the fix, because that until that pull request is merged and a new version is put on pypi, it's just sitting there as a proof-of-concept exploit of a vulnerability.

I would appreciate it if one of the maintainers could reply to this issue and direct me to the preferred channel for disclosing security vulnerabilities.

[lebedov]

Their email addresses are on the pyorient PyPI page.

[obi1kenobi]

Good call. I will update this issue once the vulnerability is resolved.

[Ostico]

Hi @obi1kenobi ,
feel free to write me directly about that, my email is in the PyOrient package also:
https://github.com/mogui/pyorient/blob/master/setup.py#L23

[obi1kenobi]

Will do. Taking this to email for now. Thanks!

[mogui]

Ohai mail are available on pypi address is directly with all the details please :)

Sorry for typo, sent in mobility
Niko

On 04 Feb 2016, at 22:57, Predrag Gruevski notifications@github.com wrote:

Will do. Taking this to email. Thanks!

—
Reply to this email directly or view it on GitHub.

[obi1kenobi]

Addressed in #172.