search

microsoft / SymCrypt

Cryptographic library
MIT License
660 stars 68 forks source link

Reporting a security issue #2

Closed randombit closed 5 years ago

randombit commented 5 years ago

I noticed a side channel and mailed a report to opensource@microsoft.com but never received a response. I had assumed I would get at least an autoreply that my message had been received. Is there some better way to report security issues in this code?

Suchiman commented 5 years ago

The AspNetCore project has following information in their template:

If you believe you have an issue that affects the security of the platform please do NOT create an issue and instead email your issue details to secure@microsoft.com. Your report may be eligible for our bug bounty but ONLY if it is reported through email.

randombit commented 5 years ago

Thanks @Suchiman I just mailed that address hopefully it gets somewhere.

michael-hawker commented 5 years ago

@NielsFerguson it'd be good to update the readme with this info too and put this in the new issue template, eh?

NielsFerguson commented 5 years ago

Thank you @randombit for reporting the bug through the proper channels. We'll have a fix ready very soon, but it won't show up here on GitHub until we have patches available for all machines that use this code.

@michael-hawker: I have updated the Readme with information on how to report security issues.

michael-hawker commented 5 years ago

Thanks @NielsFerguson, you can also add a .github/ISSUE_TEMPLATE.md file with those instructions so someone who goes to post a new issue can get the proper steps too before posting. 😊