Open groundcat opened 1 month ago
@groundcat can you provide a screenshot or explain why it's not functional? I followed the link and I was able to access a form to submit a report.
But since I have admin rights in the repo, perhaps it's working differently. I will need an external example.
I get a regular GitHub 404 page:
The PSL is a static text file. I still scratch my head as to why tf we need to have any security advisory like this for ANY practical reason.
Because we have things like Github actions which are really easy to mess up in a way they give people write access to the repo. 😞
Could one of the admins please enable private reporting as described here: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#enabling-or-disabling-private-vulnerability-reporting-for-a-repository
This was already discussed in #1856 and we agreed that it would be good to allow for reports related to list infra, not list entries. The security file reflects this decision (as well as the discussion in the pull request).
We should just make that change, as suggested by simon above.
@weppos Would you mind? Or just make me an admin maybe?
I enabled the feature. Can someone give it another try and confirm it works? I am unable to test, as an admin I could already access it before.
It seems to work. I can access the form, and was able to submit a test report (it now says "Thank you for reporting a vulnerability to publicsuffix/list. Maintainers have been notified and will review your submission.").
@weppos Just FYI: It seems I cannot see the submissions on Github so yall will have to handle them.
@weppos Just FYI: It seems I cannot see the submissions on Github so yall will have to handle them.
This is strange. According to GitHub, you should be able to manage them.
https://github.com/publicsuffix/list/blob/4f58803a4353778a3ddd337f55e15ac6e7c3ce67/SECURITY.md?plain=1#L11
The security advisory link
https://github.com/publicsuffix/list/security/advisories/new
(added from #1856) is currently not functional and may require some setup to be completed, if necessary.