Preferred way to report vulnerabilities?

[dbrumley]

Do you have a preferred way to (responsibly) report possible security vulnerabilities in this library?

[tomjnixon]

Hi,

We don't have a well-defined way; I've been trying to figure it out but it's taking some time.

Until then, you could email me at thomas.nixon at bbc.co.uk. Hopefully this comment will have a member badge showing that I'm a reasonable point of contact.

Otherwise you could try the EBU vulnerability disclosure form, perhaps mentioning me as a point-of-contact so it gets to the right place: https://www.ebu.ch/about/contact-us/vulnerability-disclosure

Thanks for your patience.

[tomjnixon]

OK, apparently member badges are not publicly visible; please use the form I linked. Found the setting to turn it on.

[dbrumley]

Will do! I also emailed Benjamin Weiss as he is listed as a contributor. (Potentially an issue on my side; I didn't verify how active he is.)

Thanks for getting back to me! I'll report, and leave it to you to decide if a vuln. If so, I'd like to pursue a CVE just because I'm a small business, and it helps a bit to have such things.

Thank you!

[tomjnixon]

Great. Unfortunately IRT no longer exists so he may not get your message, or may not have time to act on it.

[dbrumley]

No worries. Github seems to have this Security tab now; not sure how to configure it. Might be something (if you have admin access to repo) that you could configure. I filled out the form. Thanks! David Dr. David Brumley CEO Executive Assistant: Teressa Peirona < ***@***.*** >

…

On Wed, Oct 13, 2021 at 11:08 AM, Thomas Nixon < ***@***.*** > wrote: Great. Unfortunately IRT no longer exists so he may not get your message, or may not have time to act on it. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub ( #22 (comment) ) , or unsubscribe ( https://github.com/notifications/unsubscribe-auth/AAWWRV65EH6GAM637PU277LUGWOGVANCNFSM5FZN226Q ). Triage notifications on the go with GitHub Mobile for iOS ( https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 ) or Android ( https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub ).