How to get in touch regarding a security concern

[psmoros]

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@rootd4ddy) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

[cu]

As it currently exists, this project is intended to be used by trusted users in a trusted environment. All layers of security (authentication, encryption, etc) are expected to be layered on top by the person deploying it. (See https://github.com/cu/silicon/tree/master/deploy for some examples of this.) As such, there really isn't much of an attack surface, even if a vulnerability exists somewhere. Additionally, This is a tiny project and as far as I am aware, I am likely the only actual user. When (or indeed if) this project ever gains a substantial following, or if my job somehow entails maintaining it, I will take more interest in security issues. But right now, there isn't much point in out-of-band security communications.

Pull requests (accompanied by passing tests) are always welcome, however.

[rootd4ddy]

cu,

Thanks for the quick response. It would be great if you could find the time to coordinate with @psmoros just to discuss this a bit. I'm trying to get some experience in security research and was hoping this disclosure would lead to https://huntr.dev (psmoros) assigning me my first CVE with Mitre. If you don't have the time I totally understand, but this would truly mean a lot if you did. Thanks.