search

apache / cordova-ios

Apache Cordova iOS
https://cordova.apache.org/
Apache License 2.0
2.16k stars 986 forks source link

Outdated security policy #1452

Closed marekkalnik closed 3 months ago

marekkalnik commented 3 months ago

Bug Report

Problem

I have a potential security problem to disclose. The current security policy is outdated and does not help a contributor to disclose the vulnerability easily.

What is expected to happen?

I can contact someone easily and privately.

What does actually happen?

I get a link to Apache Vulnerability Handling Process. The Cordova project is not in the contact list of Apache Project Security Information.

The page states to contact users group in case the project is not liste. I am unable to find the users group anywhere.

Checklist

breautek commented 3 months ago

The contact list is for projects who has a dedicated person to handle security/reports inquiries. Apache Cordova project does not have a dedicated security person, so security issues are handled via Apache's general security team. As stated on the project contacts page:

To report a vulnerability in an Apache project that is not listed below, contact the Apache Security Team.

To be frank, I'm really not sure how much more clear the site could be. So please email to security@apache.org to report any vulnerabilities. They will triage and forward the report to the project team members via a private list.

Further reading on how to report a vulnerability: https://apache.org/security/#reporting-a-vulnerability