Closed JamieSlome closed 2 years ago
mattpass
commented
2 years ago @JamieSlome thanks for raising this issue and certainly, adding a SECURITY.md would be a good idea. Will look into that.
In the meantime, you can email info@icecoder.net with info re what has been found. Thanks for asking to disclose responsibly.
JamieSlome
commented
2 years ago @mattpass - you should have received an e-mail about 15 hours ago.
Just for reference, the report can be found here:
https://huntr.dev/bounties/5c9c228e-2a39-4643-bb82-2b02a2b0a601/
It is private and only accessible to maintainers with repository write permissions, or through the magic link, we sent you via e-mail (which shouldn't be shared with non-maintainers).
mattpass
commented
2 years ago @JamieSlome thanks for dealing with the researchers vuln report responsibly, much appreciated. The XSS vuln has been resolved at its reflection point in commit https://github.com/icecoder/ICEcoder/commit/51cf24b2a39138e6a7b5739ef59eb38cd7c39763.
I've thanked the researcher, the details provided from them were ideal and the huntr.dev site was brilliant to use! :-)
Hey there!
I belong to an open source security research community, and a member (@hitisec) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a
SECURITY.mdfile with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)