Vulnerability report

[JafarAkhondali]

We are a group of researchers from Leiden University, and we conduct research on vulnerabilities in open-source software. We have discovered and verified a high-severity vulnerability in your project(chcunningham/wc-talk). Explaining the vulnerability further in this issue could allow malicious users to access details, so we recommend enabling private vulnerability reporting on GitHub to discuss this matter confidentially. After you have enabled this feature, please add a comment to this issue so we can continue our discussion. If you have any questions, feel free to leave a reply here or send an email to: j.akhoundali [at] liacs.leidenuniv.nl

[guest271314]

Wouldn't it make sense to publicly disclose the common vulnerabilities and exposures so we all can examine the issue?

[JafarAkhondali]

@guest271314 No, vulnerability reports should be discussed privately until maintainers provide a fix. Also if there is no response from the maintainers (in ~1month), then the vulnerability can be public so that users are aware of the issue.

[guest271314]

Interesting philosophy. I would just expose the exploit so users in the field can be aware that they are running software vulnerable to exploits and maintainers can also know they are producing code with vulnerabilities. Full disclosure all the way around. No secrets.

[JafarAkhondali]

We follow best practices from other source: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html So If they don't respond in time, we will make the vulnerability details public(similar to Google's Project Zero).

[guest271314]

Right, the 2d option is full disclosure. It is possible that users and/or developers in the field can come up with a fix that maintainers have not thought about. Anyway, I'll check out what's going on here when the details are made public.