How to get in touch regarding a security concern

[JamieSlome]

Hey there!

I belong to an open source security research community, and a member (@Sampaguitas) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

[Sampaguitas]

Hey there,

I tried to get in touch with the developers to disclose a prototype pollution vulnerability in your sequelize-typescript npm package two years ago but never got a reply.

The latest version as of your npm package (2.5.1) is still vulnerable.

Here is the link to the security report posted on huntr.com platform

I would appreciate if you validate it, a patch is also available to fix the vulnerability.

notes: this report is private and can only be viewed by maintainers of the project.

[WikiRik]

Thanks for sending another message. We've received it and will look into this issue. We will be giving updates on the huntr platform as well

[Sampaguitas]

Thank you Rik