May I ask if it's possible to apply for a CVE for this project if a security vulnerability is found?

[sunriseXu]

Description

Hi there, recently, I found a security bug in this project, may I ask if it's possible to apply for a CVE for this project if a security vulnerability is found?

[falkoschindler]

Thanks for bringing this to our attention, @sunriseXu!
We're very interested in documenting and fixing security vulnerabilities in NiceGUI. But we don't have experience with CVEs in our own project yet. What would need to be done from our side? How does it compare to reporting a regular GitHub issue? Can you help us setting things up, or should we ask for help from the community?

[sunriseXu]

Thanks for your response!
Do you mind enable project private-vulnerability-reporting-for-a-repository, so I can report the bug privately. After maintainers review and confirm the bug, I will submit a CVE request to https://cveform.mitre.org/ to get a CVE id. When the bug is fixed, the bug report can be disclosed which will be referenced by CVE information parts.

[falkoschindler]

@sunriseXu Alright, we enabled private vulnerability reporting. 👍🏻

I assume by enabling this setting this issue is resolved. We will discuss the actual security issue privately.

[sunriseXu]

Thank you!

[falkoschindler]

@sunriseXu No, I just published it because I thought that's the right thing to do after providing a fix in https://github.com/zauberzeug/nicegui/releases/tag/v1.4.21. Shouldn't GitHub's Dependabot start warning other developers about this security issue in NiceGUI? Please correct me if I'm wrong.

[falkoschindler]

@sunriseXu I just edited your description to hide any details until I understand what should be part of the public advisory and what not.

[sunriseXu]

Thank you for the application for CVE, I have confirmed the bug is fixed. I think it is fine to hide details about vulnerability, just a general description is good. Thanks again for everything and have a great day!