DEMON1A
commented
3 years ago Since the developers didn't respond, This project already have bug bounty program on bugcrowd: https://bugcrowd.com/xfinity-opensource, issues could be reported over there
Open JamieSlome opened 3 years ago
DEMON1A
commented
3 years ago Since the developers didn't respond, This project already have bug bounty program on bugcrowd: https://bugcrowd.com/xfinity-opensource, issues could be reported over there
zidingz
commented
3 years ago Thanks!
ivan
commented
2 years ago @JamieSlome since it has been almost six months now, do you think you could disclose the issue so that users of uri-js can decide whether they need to protect themselves? It is a popular package in a lot of dependency trees, including eslint -> ajv -> uri-js.
JamieSlome
commented
2 years ago @ivan - you can find the report here, which ended up being a non-security issue:
https://huntr.dev/bounties/28df74b0-9b0b-4c0f-adef-7630dc5f5b1d/
Hi there,
I couldn't find a
SECURITY.mdin your repository and am not sure how to best contact you privately to disclose a security issue.Can you add a
SECURITY.mdfile with an e-mail to your repository, so that our system can send you the vulnerability details? GitHub suggests that a security policy is the best way to make sure security issues are responsibly disclosed.Once you've done that, you should receive an e-mail within the next hour with more info.
Thanks! (cc @huntr-helper)