Closed JamieSlome closed 2 years ago
dgtlmoon
commented
2 years ago Thanks, since you already know my email address (since you sent me an email) please just send the information to that email.
I do not wish to open links to sites I do not know, from your email - this should be security school 101 for you :)
JamieSlome
commented
2 years ago @dgtlmoon - sure, will do that for you now 👍
Completely understand! We are a relatively new platform, and so are constantly eager to listen to the feedback of maintainers, but to ultimately respect your feedback too.
I will copy the contents of the report and send them to you directly to the same e-mail address. Let me know if you have any questions or thoughts.
dgtlmoon
commented
2 years ago Your report..
so
removepassword requires you to be logged-in, there is no bug here. (see @login_required)tested both with requests and chrome, but I think an extra check/block for this can't hurt - so in this way - thanks
to be honest your business model feels a bit like spam, I wouldnt be surprised if you got banned from github for it
dgtlmoon
commented
2 years ago 
noobexploiterhuntrdev
commented
2 years ago Hi @dgtlmoon . I am the original reporter, here are my response,
allowing an attacker to read local files when the changedetection instance is using webdriverI am not sure why its not working for you, perhaps you are in windows? Here is a poc from me replicating it
Im glad you are fixing the lfd, but i believe the csrf is a bug too and shouldnt be ignored. If you think otherwise, its fine by me.
dgtlmoon
commented
2 years ago Hi @noobexploiterhuntrdev , i'de prefer it if you would supply a PR instead of using my software to try to get me to register with your company, that feels like a horrible situation that neither of us win
dgtlmoon
commented
2 years ago @JamieSlome I appreciate what you're trying todo here, but the way you're going about it is really wrong, you are essentially trying to build your own business by probably using some tool to scrape opensource projects, then with-holding that information until they register with your website, your email reads almost exactly like a scam email "hey we know something, click here to know more".. i mean.. come on man
Please be more positive and pro-active, I would really appreciate it more if you would provide a PR than trying to get me to join your website
You know, I write this software in my spare time, I have a family and bills to pay, many people like this software but on the other hand it comes with no warranty either expressed or implied
please be more productive and supply a PR, it's a MUCH better look for your company when I can see that you've provided hundreds of good PR's to many projects and actually made a difference, rather than hiding what could be a scam behind your registration wall
JamieSlome
commented
2 years ago @dgtlmoon - we do not require maintainers to sign-up at all to our platform to access report details. We specifically have built magic URL tech, which allows maintainers to access all contents and actions, without signing up as we realized that is absolutely and entirely unfair to withhold information on the basis that a maintainer joins.
I am sure we can iterate on how we explain our platform, and potentially the content of the e-mail that we send out, to make it clearer that we are not holding maintainers hostage, but rather just trying to share information responsibly.
I/we entirely respect and appreciate the work that you put into this repository, and do not want to stand on your toes or make it seem like we don't take your time seriously.
I will share your feedback here with the team, and we will definitely see how we can improve the platform/e-mails on this basis.
In the meantime, would you like me to opt your repository out of our platform until we can make some improvements and get our process up to scratch for you?
dgtlmoon
commented
2 years ago @JamieSlome
We specifically have built magic URL tech,
What by sending me an email that looks exactly like a phishing email with a link that says "Click here we know something about you" ? are you reading what I'm writing or what? it doesn't matter that there's a registration page or not, this kind of behaviour is really poor.
In the meantime, would you like me to opt your repository out of our platform until we can make some improvements and get our process up to scratch for you?
I NEVER opted into your system to start with
dgtlmoon
commented
2 years ago magic URL tech
You think you have some special link technology that differentiates you from a phishing attack? please just stop it and go away unless you want to provide a PR and actually contribute something and stop wasting other peoples time
noobexploiterhuntrdev
commented
2 years ago Thats not really how huntr works. Huntr is a crowdsourced platform, meaning, anyone in the world, can report security issues on open source problems through them. We dont really belong to their company, but instead, we use their company as a channel to report to open source projects. Huntr will handle contacting the maintainer, organizing reports, and assigning cve's, which makes our lives, as a researcher easier
Hey there!
I belong to an open source security research community, and a member (@noobexploiterhuntrdev) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a
SECURITY.mdfile with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)