How to get in touch regarding a security concern

[psmoros]

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@esmo-ts) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

[nicoddemus]

Thanks @psmoros for reaching out.

Unfortunately we do not have anything security related setup.

For now please send an email to me (oss-pluggy at soliv.dev) and I will bring up the other maintainers as needed.

[Pierre-Sassoulas]

I think pluggy would be eligible for Tidelift incomes. This would also make creating the security process easy (just add a link in security.md)

[nicoddemus]

That's a good idea @Pierre-Sassoulas.

I applied pluggy for lifting, they will answer in a few days.

[RonnyPfannschmidt]

@nicoddemus we ca enable secure incident reporting for the project as well

[nicoddemus]

Ahh well remembered @RonnyPfannschmidt.

@psmoros you can report it here: https://github.com/pytest-dev/pluggy/security

[nicoddemus]

Closing this then.