coin3d / coin

Coin3D core library
BSD 3-Clause "New" or "Revised" License
289 stars 109 forks source link

Lack of vulnerability reporting process #529

Open kkremitzki opened 2 months ago

kkremitzki commented 2 months ago

I was recently contacted by someone who found a vulnerability in the Coin library. They sent me a proof-of-concept, but the underlying issue will need a patch, as well. This raises the issue of needing a process to handle these sorts of disclosures throughout the Coin ecosystem. Sorry @VolkerEnderlein for not creating this issue before the tagging of a new release! Moving forward, I suppose the first thing to do would be for me to share this exploit PoC to those who want to take a stab at making a patch. Thoughts? Anyone else in the org who should be tagged? Perhaps @looooo ?

VolkerEnderlein commented 2 months ago

Thanks for bringing this up, @kkremitzki. I am not aware that GitHub provides such kind of security channel that can be accessed only by specific maintainers, but I am highly interested in the PoC. Can you mail me the data to volkerenderlein@hotmail.com? That would be very helpful. All maintainers of Coin should be tagged, @veelo @looooo @ggabbiani @WizzerWorks @Renreok and @TheHubbit . Maybe one of them can support us in finding a proper solution for the issue.

VolkerEnderlein commented 2 months ago

Simply was responding to fast without checking the GitHub documentation. GitHub provides such a feature on a per project base. It can be found under Settings -> Code security and analysis -> Private vulnerability reporting . If enabled the private communication with the maintainers and owners of the repository can be done on the Security tab under category Advisories. Meanwhile I enabled this feature for all top level projects of Coin3D organisation. The feature has not been enabled for repositories used as submodules in top level projects.

For a description of the process see here.

Cheers.