Responsible Vulnerability Disclosure

[dappelt]

Specifications

Version: go-camo 1.1.4 Platform: Any

Behavior

I would like to report a security vulnerability in go-camo. Is there a prefered (and confidentially) way of receiving more details?

[dropwhile]

@dappelt Thanks for reaching out!

I have a wire account (@ixephus), if that meets your requirements for secure/confidential information exchange. If not, let me know if you have any suggestions for alternatives.

Note: Alas, I seldom use the wire account (not many people I chat with regularly on there yet), so dropping a message like this is probably the best way to get me to check it.

[jacobbednarz]

Side note: @cactus do you intend to use GitHub's maintainer security advisories for this type of thing? As you can also establish a policy in there too which would help this type of discussion.

[dropwhile]

@jacobbednarz Interesting. I didn't realize that advisories allowed for private collaboration. I'll definitely look into it!

[dropwhile]

@jacobbednarz thanks again for the heads up.

Status:

• created security policy page - https://github.com/cactus/go-camo/security/policy
• created a draft security advisory, and invited @dappelt to collaborate on it.

[jacobbednarz]

nice one! I've just confirmed I can't see it so you're secrets are safe for now 🙂

[dappelt]

created a draft security advisory, and invited @dappelt to collaborate on it.

Perfect, I provided more information on the draft.

[dropwhile]

Yeah, these look like valid issues. Working on fixes.

[dropwhile]

Security advisory has been published.

[dropwhile]

Release v1.1.5 builds are up now.