Closed Bruswei closed 10 months ago
RandomFractals
commented
10 months ago @Bruswei Geo Data Viewer is an open source project. You can file any critical security issues using GitHub Issues.
There might be some related to the libraries we use for this VS Code extension. However, the extension itself doesn't use telemetry and doesn't directly modify geo data sources used.
Will close this as invalid unless you have some critical direct security vulnerabilities scenarios to share.
Bruswei
commented
10 months ago Thank you for your response.
While I recognize the open source nature of the project, I have reservations about publicly disclosing detailed information regards a security vulnerability, such as in a GitHub issue. The concern is that this might expose users to potential exploits.
The specific vulnerability i discovered was:
Improper Input Validation [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-XMLDOM-3092935] in xmldom@0.6.0
Given the discovery of this vulnerability, I believe it's important to prioritize security by acknowledging and addressing any potential threats, regardless of their immediate use within the extension.
Cheers.
Hello,
After cloning the repository, I performed a security analysis and discovered a critical vulnerability associated with it. For security best practices, I believe it's unwise to disclose the vulnerability details publicly. Since I was unable to locate any information on how to report security issues, could you guide me on the appropriate procedure or provide a secure point of contact to report this finding?