Where are security vulnerabilities reported?

[mrdewitt]

Report

• [ :heavy_check_mark: ] I have searched existing issues and this is not a duplicate

I am thinking of integrating with Yoga, and am wondering where security vulnerabilities are disclosed. Do you use github's security features? Are they posted with a CVE, and if so do you have a CPE prefix that I can use?

I see that the security policy page links to facebook.com/whitehat but that does not include information about disclosures.

[mrdewitt]

Any updates available here?

[ngyikp]

Facebook does disclose valid vulnerabilities in their open source projects by issuing CVEs, example past projects include HHVM, Proxygen and Hermes.

[mrdewitt]

I am hoping for a response from an owner of this project, I'd prefer to have positive confirmation than to make an assumption.

[NickGerleman]

We would disclose any vulnerabilities. Yoga has so far not had any.