Reporting a vulnerability

[igibek]

Hello!

I hope you are doing well!

We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.

Can you enable it, so that we can report it?

Thanks in advance!

PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

[ekes]

It would be great if you could submit this against the project on drupal.org https://www.drupal.org/project/localgov (Report a security vulnerability link right hand column) there it is opt-ed in for security team support.

[andybroomfield]

I believe the underlying issue this related do was covered in a third party Drupal module that received a security update. So this issue can be closed? Can we confirm that this is no longer an issue, and that there is documentation to the effect that security reports are sent via the Drupal security team.