search

scylladb / seastar

High performance server-side application framework
http://seastar.io
Apache License 2.0
8.38k stars 1.55k forks source link

Create a SECURITY.md file in the repository #997

Open JamieSlome opened 2 years ago

JamieSlome commented 2 years ago

Hey there!

I belong to an open source security research community, and a member (@srikanthprathi) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

nyh commented 2 years ago

You can use the email address security@scylladb.com to report sensitive security issues in Scylladb projects (including Seastar). And yes, it makes sense to explicitly mention that in README.md and/or SECURITY.md.

JamieSlome commented 2 years ago

@nyh - we will send an e-mail to an elected address in the SECURITY.md, once this has been created. Otherwise, you can view the report here:

https://huntr.dev/bounties/c9fcafcd-323d-41e0-b1ac-728d9f82943e/

It is private and only accessible to maintainers with repository write permissions.

nyh commented 2 years ago

@JamieSlome I looked at the report and it is of extremely low severity - it's a report about a "security hole" in our configure.py python script (which is not relevant at all on modern single-user build machines), not in Seastar itself. I'm leaving this issue open as a reminder that it does make sense to create a SECURITY.md file, regardless of the specific security (non)issue discussed here.