Closed zidingz closed 3 years ago
Responsible disclosure instructions are for projects people use… no one uses Kuroko in an exploitable capacity, so just post the bug as an issue report and stop wasting my time.
Further, as Kuroko is only used as part of ToaruOS, we already have a security policy that has been outlined in the greater project release notes for a while now:
There are many known security issues with ToaruOS. You should not use ToaruOS in a production environment - it is a hobby project, not a production operating system. If you find security issues in ToaruOS and would like to responsibly report them, please file a regular issue report here on GitHub.
I have added a SECURITY.md
to this repository to make this policy clear.
Hey there!
I belong to an open source security research community, and a member (@geeknik) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a
SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)