Closed misterAnderson90 closed 2 years ago
alexbakker
commented
2 years ago Sure, feel free to send us an email at: beemdevelopment@gmail.com.
We've received a couple of reports from automated scanning tools in the past, but in our experience they've always had a really bad signal to noise ratio. We're happy to take a look though!
alexbakker
commented
2 years ago @misterAnderson90 Did you end up emailing us about this? I don't see anything in our inbox.
alexbakker
commented
2 years ago No response.
misterAnderson90
commented
2 years ago Hello @alexbakker,
I'm sorry for not sending you an e-mail before. I've shared with you the private gists. Can you please evaluate based on your perception of the reported warnings?
Please let me know whether you are interested in receiving a file with all warnings.
theAkito
commented
2 years ago Please, report this spammer. This is just a bot spamming the very same message to tons of open source repositories. The only things that are changed in the message are the repository's name and the amount of warnings.
alexbakker
commented
2 years ago @theAkito We did actually end up receiving an email with a sample of his findings. The findings we've received so far all appear to be false positives (very common with these sorts of tools). We've asked for the rest of the findings, but haven't received a response yet.
I don't think he's a spammer, he's just not great at following up on replies.
theAkito
commented
2 years ago @alexbakker
That may be the case, however it's not the point.
Spamming the same crap to over 40 open source repositories within a relatively short period of time is just SPAM.
If that wasn't enough, the bot doesn't get it.
I closed this issue, yesterday: https://github.com/theAkito/webmon/issues/39
Today, the same bot opens another issue with the same content, I don't care about: https://github.com/theAkito/webmon/issues/40
If it's a human being and just "not great at following up on replies", then why open another issue with the same content, after I had closed the first one?
That said, even if there is someone sitting there, testing out his software scanner, then it's still SPAM if he spammingly informs tons of open source repositories about his findings, without being asked to do it, in the first place. It's either way SPAM, even if there might actually be results coming from a request.
I never asked for the scan and I don't care about someone testing out his new project on 3rd party projects.
If he really cares about the security of my project, he should stop promoting his project and write a serious paper about the vulnerabilities and publish it on his own Github space.
I'm a PhD student interested in finding security vulnerabilities in open source projects.
We found a total of 43 warnings (indicating potential vulnerabilities) when running the CogniCrypt static analyzer (*) on Aegis (or its library dependencies). We documented each one of these issues in private gists for the sake of confidentiality (non-disclosure).
Can you please let us know whether we can share these gists with you? We are eager to evaluate the perception of developers (e.g. severity of these warnings) and improve Aegis' security, and the quality of the reports of static analysis tools.
(*) https://github.com/CROSSINGTUD/CryptoAnalysis