Open zidingz opened 3 years ago
evdama
commented
2 years ago @zidingz I've forked and migrated the entire codebase to ES6... maybe the issue is therefore gone? Let's have a look and let me know please https://github.com/evdama/is-it-check
JamieSlome
commented
2 years ago @evdama - potentially. You can find three reports we have received against this repository here:
https://huntr.dev/bounties/29bcb9c4-bf34-40a9-bf3e-34645c62789c https://huntr.dev/bounties/4bedb324-6fed-422e-b4b8-3624d09ca686 https://huntr.dev/bounties/56380c87-a124-4686-8db7-1e4e42514f64
They are all private and only accessible to maintainers with repository write permissions 👍 Let me know if you have any questions.
evdama
commented
2 years ago Ok, I see, I've forked the repo to https://github.com/evdama/is-it-check and upgraded it etc.
Therefore I don't seem to have access to the three links you provided right? Can you maybe go to my forked repo and create the bounties again because then I have owner permissions which then means I can access the bounty report on huntr.dev?
On Fri, Mar 18, 2022 at 12:39 PM Jamie Slome @.***> wrote:
@evdama https://github.com/evdama - potentially. You can find three reports we have received against this repository here:
https://huntr.dev/bounties/29bcb9c4-bf34-40a9-bf3e-34645c62789c https://huntr.dev/bounties/4bedb324-6fed-422e-b4b8-3624d09ca686 https://huntr.dev/bounties/56380c87-a124-4686-8db7-1e4e42514f64
They are all private and only accessible to maintainers with repository write permissions 👍 Let me know if you have any questions.
— Reply to this email directly, view it on GitHub https://github.com/arasatasaygin/is.js/issues/324#issuecomment-1072329287, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJMM2BEMX36FY5OISW7RQ73VARTNTANCNFSM5C54RBKQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you were mentioned.Message ID: @.***>
JamieSlome
commented
2 years ago Ah, I see!
We would require our researchers to therefore submit vulnerabilities against your repository.
@yetingli and @ready-research - if you want, you are both welcome to submit your reports to the forked repository, given that the vulnerability exists 👍
yetingli
commented
2 years ago Thanks @evdama and @JamieSlome . I have submitted my reports, please check them out.
https://www.huntr.dev/bounties/8582ef0e-6ea1-40a3-8de0-30c53dbc76af/ https://www.huntr.dev/bounties/12462790-03b6-4e36-a5af-383914747a1c
evdama
commented
2 years ago evdama
commented
2 years ago Second one is fixed too... issue can be closed
ewrayjohnson
commented
1 year ago So what is the solution for those of us who use packages that are dependent on the original? Is there a PR? Does someone even have authority to approve/merge an PR?
Hey there!
I'd like to report a security issue but cannot find contact instructions on your repository.
If not a hassle, might you kindly add a
SECURITY.mdfile with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)