Closed xenomuta closed 3 months ago
ddpbsd
commented
4 months ago All I see is an email wanting to disclose some issues, but no issues attached. I haven’t really been involved in the project for a few years, so I‘m guessing Scott is the way to go. Maybe reach out to him on slack or discord? I also believe full disclosure is responsible.
xenomuta
commented
4 months ago yes, that is because before disclosing zero day vulnerabilities, I would rather first understand what’s the expected process and the designated contact, but the security reporting is not enabled in the repo.,
We also believe full disclosure, responsible, Just as long as I provide the vendors with enough time to patch an address the issue.
Please provide the link for your Slack or Discord.
Regards!
ddpbsd
commented
4 months ago They’re not mine, they’re ossec‘s. Ossec.slack.com for slack And i think this is the discord link https://discord.gg/CJR5A2gD But I could be wrong, I don’t use it much
bigtrucker89
commented
4 months ago Have you tried the contact in the security.txt file?
bigtrucker89
commented
3 months ago Added security policy into github to mirror existing https://www.ossec.net/.well-known/security.txt
Hi friends,
I've come across a couple of security bugs in OSSEC HIDS that I want to disclose responsibly, but couldn't find out how exactly as there is no specific bug reporting contact or Security policy here on your Github, so I've tried mailing Scott R. Shinn, Dan Parriot and Dominik Lisiak on the matter earlier last month, but haven't got a response.
Could you guide me through the correct way of disclosing this to the team, without publicly disclosing the details?