Create Security Policy#147
Conversation
Signed-off-by: Joyce <joycebrum@google.com>
|
It seems that #112 also address this issue, sorry for creating in duplicative. But perhaps this Security Policy I've suggest (which is a quite simple but sufficient) will better suit the project than the generic github proposed one (which is just a placeholder by now). |
|
@manugarg: We (@SonarSource) disclosed a vulnerability privately by email on June 24, 2022 and got no answer so far. Please consider enabling this feature so we can collaborate on a patch. |
|
Sorry for the delay. I've merged this now. Thanks @joycebrum! |
|
Thanks @thomas-chauchefoin-sonarsource! We've responded to one of the vulnerabilities from a different org I think. I've also added sonarlint to the build pipeline. |
|
Thank you for merging this! It looks like the feature "Private vulnerability reporting (Beta)" was not enabled in the GitHub settings of this repository though, so the link to https://github.com/manugarg/pacparser/security/advisories/new does not work. We will re-report the issue, it's still exploitable on today's HEAD. |
|
https://github.com/manugarg/pacparser/security/advisories/new works for me, but likely I am the owner. I've enabled "Private vulnerability reporting (Beta)". |
Closes #113
I've created the SECURITY.md file considering the report vulnerability through security advisory, which is a new github feature still in beta and that has to be enabled.
If you're interested in GitHub's feature, it must be activated for the repository:
If you rather not enable it there is also the possibility to receive the vulnerability report through an email, in this case just let me know which email it would be and I'll submit the change.
Besides that, feel free to edit or suggest any changes to this document, it is supposed to reflect the amount of effort the team can offer to handle vulnerabilities.