Security Contact

[limerencee]

Hi team,

I would like to suggest adding a proper point-of-contact for security-related issues. Here's why:

1. The current instructions to create a forum account and to private message an administrator is not feasible as there are restrictions in place that prevent new accounts from sending private messages.
2. Opening a support ticket is not productive. The support agents are not trained to triage security bug reports and thus acts as an extra hurdle between the bug reporter and the maintainers/developers. When requesting to send a bug report to the developers, the agents would ask you to just send it over in plain view to them, to which they would forward it to the developers. When asked if there are any GPG keys available, the answer would be no.
3. There are no further instructions nor contact details for reporting security vulnerabilities. I am opening this Issue on your GitHub repo because I am out of options.

[danielkerr]

wasting my time

[limerencee]

Hi Daniel,

Thanks for getting back. Can you please let me know where can I reach you regarding a security issue I have found in the codebase? It still exists in the latest version of the codebase, so I will not be disclosing it publicly here.

Thank you.

[danielkerr]

ur wasting my time and sound like a spammer! how fgucking dare u bother open source projects to oush ur own services