Lack of vulnerability reporting process

[kkremitzki]

I was recently contacted by someone who found a vulnerability in the Coin library. They sent me a proof-of-concept, but the underlying issue will need a patch, as well. This raises the issue of needing a process to handle these sorts of disclosures throughout the Coin ecosystem. Sorry @VolkerEnderlein for not creating this issue before the tagging of a new release! Moving forward, I suppose the first thing to do would be for me to share this exploit PoC to those who want to take a stab at making a patch. Thoughts? Anyone else in the org who should be tagged? Perhaps @looooo ?

[VolkerEnderlein]

Thanks for bringing this up, @kkremitzki. I am not aware that GitHub provides such kind of security channel that can be accessed only by specific maintainers, but I am highly interested in the PoC. Can you mail me the data to volkerenderlein@hotmail.com? That would be very helpful. All maintainers of Coin should be tagged, @veelo @looooo @ggabbiani @WizzerWorks @Renreok and @TheHubbit . Maybe one of them can support us in finding a proper solution for the issue.

[VolkerEnderlein]

Simply was responding to fast without checking the GitHub documentation. GitHub provides such a feature on a per project base. It can be found under Settings -> Code security and analysis -> Private vulnerability reporting . If enabled the private communication with the maintainers and owners of the repository can be done on the Security tab under category Advisories. Meanwhile I enabled this feature for all top level projects of Coin3D organisation. The feature has not been enabled for repositories used as submodules in top level projects.

For a description of the process see here.

Cheers.