Missing security contact

[chrissawyerfan4]

Hi!

As a password manager, I think it is essential to have a private contact method for security issues so fixes can be prepared before people's data is put at risk.

The repository says it is not yet to be trusted. Those who read the readme would know, but if someone gets this software recommended and went straight to the releases page, or downloaded it directly from f-droid or some other method, they couldn't know that it's not yet considered ready for use. (And with how much engagement this repository already has, I doubt there isn't anybody already actually using it despite the warnings.)

Some common options for vulnerability reporting are

• publishing a PGP or other type of public key on the website to be used for email,
• a form on your site, or
• nowadays GitHub also supports enabling private issue reporting though this requires people to make a GitHub account (this was impossible for a while because the captcha system was broken, besides that the signup page is nearly unusable on cpu graphics as our employer requires, and probably in the future it will necessitate a Microsoft account since they bought GitHub) so I'm not sure I'd recommend that hurdle as the only method when there also exists universally accessible things like encrypted email, but this repository setting has the advantage that it's 5 seconds to turn on

To publish the information on how to report vulnerabilities,

• I personally (as security consultant, but I'm old so take my ideas of what's current with a grain of salt) first look in the readme and also on the website for a phrase like "report a [security issue|vulnerability]", or a "security" entry in the website menu or footer, so I'd put (links to) the info in both of those places, but
• the most standardized method is now technically <domain>/security.txt, though afaik this is not yet widespread (chicken-and-egg problem -- you could be an early adopter here and help the standard!). The .nl registry actually gives you a discount (info in Dutch unfortunately) on your domain name if the domain has a security.txt to stimulate adoption of the standard. Not that you use .nl but I thought that's an interesting fun fact :)
• It could also be included in the repository under /security.md
• Or all of the above :D

Edit: So... GitHub reports I have done a thing which I'm rather certain I haven't done

I can't even access that field to change it, so I doubt I could have set it if I had tried... this wasn't me assigning an incorrect label, don't listen to its lies xD

[6eero]

Thanks, i'm working on it!

[6eero]

Done! I've added the security.txt file to the website and the SECURITY.md file to the repository, including the GPG public key. Thanks 💯