Security vulnerability disclosure: looking for private contact

[psanskaar]

Hi OpenCRVS team,

I am an independent security researcher and have identified what I believe to be a security vulnerability in opencrvs-core related to authentication configuration. I would like to disclose this privately and responsibly before any public discussion.
Could you please share the appropriate security contact email address or preferred disclosure method?

Thank you

[rikukissa]

@psanskaar Thanks for you message! Could you please reach out to me using riku@opencrvs.org address?

[euanmillar]

Thank you to @psanskaar for taking the time to review OpenCRVS and raise a question regarding the default 2FA configuration in development and QA environments.

Although our review concluded that this behaviour is intentional and does not affect supported production or staging deployments, the discussion highlighted an opportunity to further reduce the risk of developer misconfiguration, if our documented process of using yarn environment:init is ignored and environments are created manually.

As a result, we have improved the default configuration to better align with our documented environment setup process. The yarn environment:init script should always be used in production where citizen data is stored and 2FA should always be enabled. Note what it does here: https://github.com/opencrvs/infrastructure/blob/develop/infrastructure/environments/setup-environment.ts#L1308

We appreciate @psanskaar's interest in OpenCRVS and their contribution to improving the developer experience and security posture of the project.