adam-nygate
commented
3 years ago @JamieSlome I thought we implemented it so that we check for a security policy via the security tab? I.e https://github.com/coreybutler/node-windows/security/policy
Closed dwisiswant0 closed 3 years ago
adam-nygate
commented
3 years ago @JamieSlome I thought we implemented it so that we check for a security policy via the security tab? I.e https://github.com/coreybutler/node-windows/security/policy
JamieSlome
commented
3 years ago @adam-nygate - we do!
We have also had instances where the SECURITY.md is added via their global .github folder, and still capture the e-mail address.
adam-nygate
commented
3 years ago @adam-nygate - we do!
We have also had instances where the
SECURITY.mdis added via their global.githubfolder, and still capture the e-mail address.
Ah, thanks for confirming.
@dwisiswant0, we do check for the SECURITY.md on the user/organisation level, and not just the repository level.
In this instance, it looks like the SECURITY.md was created after we reached out to them, as can be seen here https://github.com/coreybutler/.github/blob/main/SECURITY.md
@zidingz do you know if we manually facilitated this disclosure after the SECURITY.md was created?
dwisiswant0
commented
3 years ago Ah, my bad. Didn't notice commit date. Thanks for the confirmation, closing now!
It seems that currently Huntr is checking the
SECURITY.mdfile only at the repository ({user/orgz}/repository). But not in the default GitHub configuration level of GitHub user or organization, ({user/orgz}/.github).The case like my disclosure ID at
5e232589-d78d-4cb8-9d0b-cb7c428ac059.