sevmonster
commented
1 month ago This issue was the first time I heard about this. Even creating an issue in addition to the blog post may have been a good option. For a pretty serious vulnerability like this, there should be some channel for communication that users can subscribe to. I also directly communicated a security issue to Mickael a while ago, and there wasn't any public discourse or notification about it. It did get fixed, though.
Probably the easiest option to resolve this issue would be GitHub's own security advisory feature.
Filestash is fantastic software, first of all, and a big thank you to all the developers who help create it.
I know that Filestash is written with security in mind, and I am certainly not expecting any big security issues or have doubts about using the software, but in the event there is a security issue, is there an automatic means of being notified?
An example of a prior security issue would be the admin bcrypt hash being leaked, as per the post on the Filestash blog.
I notice the blog does not seem to offer an RSS or Atom feed, and there doesn't appear to be any kind of mailing list. My best idea at the moment is to subscribe to the RSS commits feed of the GitHub, and filter for security as a keyword, but I'm not even sure if that would make sense or catch everything.
I understand keeping up to date is the best strategy here, but for some setups that may not always be possible, and being alerted to any possible security issues could bring a lot of peace of mind.
I understand the release strategy was detailed here in Github issue #490, so I suppose I am wondering if there is a separate disclosure strategy for security issues?