search

OSC / ondemand

Supercomputing. Seamlessly. Open, Interactive HPC Via the Web
https://openondemand.org/
MIT License
294 stars 107 forks source link

Submitting security notices #798

Closed cstackpole closed 3 years ago

cstackpole commented 5 years ago

Greetings, My company did a basic security analysis of OpenOnDemand. A minor issue was discovered, but I do not want to disclose it openly. I sent an email to the only team member that I have a contact for, but I've not heard back from them. The security tab for the Github project is also empty providing no assistance in reporting this issue.

What is the proper way to report security issues to the project? Can this be added to the Security tab for these projects please?

Thank you.

achalker commented 5 years ago

On our official project website, http://openondemand.org/, we indicate "If you have security concerns or think you have found a vulnerability in Open OnDemand, please contact us directly via email on the news list linked above". The list can be accessed at: https://lists.osu.edu/mailman/listinfo/ood-users or directly via ood-users@lists.osc.edu and emails sent to it are only distributed to the core project team members for moderation. We'll look at providing this same info in the Security tab.

cstackpole commented 5 years ago

Ack! I looked right over that when I was on the page. Sorry. But thank you for pointing it out. I will send an email right now.

Thank you for also considering adding that to the Security tab. I will go ahead and close this out now.

achalker commented 5 years ago

Thanks for pointing it out. I've put this info on the security tab now.

cstackpole commented 5 years ago

Sorry to reopen, but I got a bounce back from the email ood-users@lists.osc.edu saying that I can't send emails. It redirected me to discourse.osc.edu which is just as public as this post. :-/

achalker commented 5 years ago

Sorry about that. We had the list setup to reject messages, thinking we'd be copied on them as moderators. I've toggled it to hold them instead. Please try resending your message to the list.

cstackpole commented 5 years ago

Sent!

cstackpole commented 5 years ago

I just received an update that my email is being held for moderator approval. If you are comfortable with that, then feel free to close the ticket again. Thank you for your assistance!

achalker commented 5 years ago

Recieved via mailing list and responded.