Found a possible security concern, requesting for SECURITY.md/vulnerability reporting details

[blackbeard666]

Hello!

I'm a security researcher looking at different open source software with the intent of finding and reporting vulnerabilities -- I may have found some potential issues in yours (Anki-Android) which I would like to privately share/discuss with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? Alternatively, you can also check the following articles from Github regarding setting up security advisories/private vulnerability reporting for your repository:

• https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository
• https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability
• https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities
• https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github

[welcome[bot]]

Hello! 👋 Thanks for logging this issue. Please remember we are all volunteers here, so some patience may be required before we can get to the issue. Also remember that the fastest way to get resolution on an issue is to propose a change directly, https://github.com/ankidroid/Anki-Android/wiki/Contributing

[mikehardy]

Hi there @blackbeard666 👋

I'm not sure adopting a security policy is the most expedient way to handle this as that requires creation+discussion+adoption etc and we're pretty time-limited (aren't we all?) but security stuff is frequently time-sensitive.

Our organization is enrolled in the security configurations and global settings public beta, so I have followed this process:

https://docs.github.com/en/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-the-github-recommended-security-configuration-in-your-organization

...and now all the repositories in the ankidroid organization have the "GitHub recommended" security configuration

When I check inside the settings for this repository I confirm that "Private Vulnerability Reporting" is now enabled for the repository. You should be able to report whatever you've found without inadvertent disclosure now I believe ?

Thanks

[blackbeard666]

Hi @mikehardy thanks for enabling the reporting feature. Not sure if you've already been notified of it but I've already submitted the report -- can you confirm if it's already visible on your end? (should be in the security tab). Thanks!

[mikehardy]

Found it - thank you - it is visible - going to close this here as I think the general problem in this logged issue is/was that we had no mechanism to report anything responsibly which wasn't a good stance. We're able to collaborate now on anything anyone wants to bring up, security-wise, in a private way if folks desire, so that should handle the general issue