Open misterAnderson90 opened 2 years ago
If you would like to disclose them privately you can email zeusln@tutanota.com. We're aware of a few issues we'll be correcting in the v0.6.0 release.
Hello @kaloudis,
I have sent the gists privately in your email. Could you please evaluate the severity of these issues?
Will dive in and evaluate this week. Thank you.
@kaloudis,
Did you have time to evaluate these issues? How do you perceive the warnings reported by this SAST tool?
I'm a PhD student interested in finding security vulnerabilities in open source projects.
We found a total of 27 warnings (indicating potential vulnerabilities) when running the CogniCrypt static analyzer (*) on zeus (or its library dependencies). We documented each one of these issues in private gists for the sake of confidentiality (non-disclosure).
Can you please let us know whether we can share these gists with you? We are eager to evaluate the perception of developers (e.g. severity of these warnings) and improve zeus's security, and the quality of the reports of static analysis tools. (*) https://github.com/CROSSINGTUD/CryptoAnalysis