Security Reporting #15975
Replies: 3 comments 1 reply
-
also, no matter which avenue is preferred in the future for reporting potentially security relevant issues - a spelled out policy what kind of boundaries and types of issues you consider relevant for private reporting would also be great. this is especially tricky for file systems of course (with the almost endless source of trouble being intentionally or accidentally malformed/corrupted on-disk structures), but something along the lines of
with descriptions of where you consider security boundaries to exist or not might help. |
Beta Was this translation helpful? Give feedback.
-
still haven't heard back either here or in the report itself -> I'll just open a public issue/PR start of next week since the actual bug that prompted all of this is not that critical. I'd still appreciate some sort of response ;) |
Beta Was this translation helpful? Give feedback.
-
Hi,
I recently (>1 week ago) filed an issue using GH's builtin security reporting feature, but haven't heard back yet at all. So I wonder - is that not the right place to report? Is anybody monitoring incoming reports there? Even a short "thanks, will take a look sometime soonish" would alleviate my fear that I am talking to the void ;)
If it's not the right place to report those, I'd appreciate a pointer where to report them (and also would suggest disabling that feature on the GH side ;)).
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions