search

dd86k / sha3-d

Pure D implementation of SHA-3 (Keccak-f[1600,24]) + DUB package
https://code.dlang.org/packages/sha3-d
Boost Software License 1.0
11 stars 1 forks source link

Outdated security advisory flow #8

Closed mratsim closed 10 months ago

mratsim commented 10 months ago

The suggested security advisory flow is incorrect, probably refering to an old workflow.

https://github.com/dd86k/sha3-d/blob/dc34beb92f28bdbeb30b0e360254dbbaf7a21e92/.github/SECURITY.md#L5-L6

In the current Github, only admins can create a security advisory so people have to contact you privately:

https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory

Who can use this feature

Anyone with admin permissions to a repository, or with a security manager role within the repository, can create a security advisory.

Note: I don't have any security issue to report. Was just curious.

dd86k commented 10 months ago

Hey, thanks for noticing.

I've enabled Private vulnerability reporting (Beta), which "Allow your community to privately report potential security vulnerabilities to maintainers and repository owners.". Hoping this will work.

I've also noticed a typo in the snippet that you highlighted (regarding "Securitiy"), I'll tweak the SECURITY.md file later and apply it to my blake2 repo as well.