eslerm
commented
7 months ago Since fdk-aac syncs from https://android.googlesource.com/platform/external/aac (or https://sourceforge.net/projects/opencore-amr/ ?) it might be most appropriate if the SECURITY.md points to where to report issues upstream.
https://github.com/mstorsjo/fdk-aac/issues/167 was reported by @jslarraz to Android VRP. Android requested a PoC and directed him to https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with-negligible-security-impact#unreachable-bugs
fdk-aac lacks a
SECURITY.mdIf a vulnerability is found in fdk-aac, a researcher will not know how to privately raise the issue with your developers. The only places I could find to report is on this public issue tracker or on public mailing lists.
By defining a Security Policy, fdk-aac can set clear expectations to reporters who want to keep fdk-aac and users safe.
Here's GitHub Security's policy as an example. Another option is to use GitHub's private vulnerability reporting feature.