Lack of vulnerability reporting process #529
Comments
|
Thanks for bringing this up, @kkremitzki. I am not aware that GitHub provides such kind of security channel that can be accessed only by specific maintainers, but I am highly interested in the PoC. Can you mail me the data to volkerenderlein@hotmail.com? That would be very helpful. All maintainers of Coin should be tagged, @veelo @looooo @ggabbiani @WizzerWorks @Renreok and @TheHubbit . Maybe one of them can support us in finding a proper solution for the issue. |
|
Simply was responding to fast without checking the GitHub documentation. GitHub provides such a feature on a per project base. It can be found under For a description of the process see here. Cheers. |
VolkerEnderlein
added
enhancement
I was recently contacted by someone who found a vulnerability in the Coin library. They sent me a proof-of-concept, but the underlying issue will need a patch, as well. This raises the issue of needing a process to handle these sorts of disclosures throughout the Coin ecosystem. Sorry @VolkerEnderlein for not creating this issue before the tagging of a new release! Moving forward, I suppose the first thing to do would be for me to share this exploit PoC to those who want to take a stab at making a patch. Thoughts? Anyone else in the org who should be tagged? Perhaps @looooo ?
The text was updated successfully, but these errors were encountered: