kuroko-lang / kuroko

Dialect of Python with explicit variable declaration and block scoping, with a lightweight and easy-to-embed bytecode compiler and interpreter.
https://kuroko-lang.github.io/
MIT License
431 stars 25 forks source link

Found a possible security concern #20

Closed zidingz closed 3 years ago

zidingz commented 3 years ago

Hey there!

I belong to an open source security research community, and a member (@geeknik) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

klange commented 3 years ago

Responsible disclosure instructions are for projects people use… no one uses Kuroko in an exploitable capacity, so just post the bug as an issue report and stop wasting my time.

klange commented 3 years ago

Further, as Kuroko is only used as part of ToaruOS, we already have a security policy that has been outlined in the greater project release notes for a while now:

There are many known security issues with ToaruOS. You should not use ToaruOS in a production environment - it is a hobby project, not a production operating system. If you find security issues in ToaruOS and would like to responsibly report them, please file a regular issue report here on GitHub.

klange commented 3 years ago

I have added a SECURITY.md to this repository to make this policy clear.