search

erusev / parsedown

Better Markdown Parser in PHP
https://parsedown.org
MIT License
14.69k stars 1.12k forks source link

Who to contact for security issues #816

Open zidingz opened 2 years ago

zidingz commented 2 years ago

Hey there!

I belong to an open source security research community, and a member (@shellinjector) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

aidantwoods commented 2 years ago

Hi @zidingz, I'm creating a security advisory under my own fork of Parsedown. I'll invite both you and @ShellInjector to access it. (Unfortunately I am not able to create one here as it is a personal repo, which I think only permits one admin/owner).

Please feel free to disclose the information there, or otherwise post it here if you prefer to do full-disclosure in the open.

Thanks also for highlighting the missing SECURITY.md, I'll see what I can do for improving the contact process.

JamieSlome commented 2 years ago

@aidantwoods - I see that you commented on one of our reports, requesting access.

Seeing as you maintainer your own fork, it might be worthwhile @ShellInjector, disclosing the report against the forked version of Parsedown instead (which @aidantwoods maintains).

Our system currently only grants access to the user that maintainers a repository, unless the repository is an organization of course.

@ShellInjector @aidantwoods - does this work for you both?

aidantwoods commented 2 years ago

That works for me!

ShellInjector commented 2 years ago

Any updates!