kaloudis
commented
2 years ago If you would like to disclose them privately you can email zeusln@tutanota.com. We're aware of a few issues we'll be correcting in the v0.6.0 release.
Open misterAnderson90 opened 2 years ago
kaloudis
commented
2 years ago If you would like to disclose them privately you can email zeusln@tutanota.com. We're aware of a few issues we'll be correcting in the v0.6.0 release.
misterAnderson90
commented
2 years ago Hello @kaloudis,
I have sent the gists privately in your email. Could you please evaluate the severity of these issues?
kaloudis
commented
2 years ago Will dive in and evaluate this week. Thank you.
misterAnderson90
commented
2 years ago @kaloudis,
Did you have time to evaluate these issues? How do you perceive the warnings reported by this SAST tool?
I'm a PhD student interested in finding security vulnerabilities in open source projects.
We found a total of 27 warnings (indicating potential vulnerabilities) when running the CogniCrypt static analyzer (*) on zeus (or its library dependencies). We documented each one of these issues in private gists for the sake of confidentiality (non-disclosure).
Can you please let us know whether we can share these gists with you? We are eager to evaluate the perception of developers (e.g. severity of these warnings) and improve zeus's security, and the quality of the reports of static analysis tools. (*) https://github.com/CROSSINGTUD/CryptoAnalysis