Open psmoros opened 1 month ago
Hi, think I found an issue (might be the same as the potential issue above, or a different one). So can we move forward with this?
The alternative is just adding an issue with a tag security
but I would like to give you a head start.
Is it the use of pickle?
No.
then maintainers would get notifications and it's private.
codeql does not show any security warnings, except jinja doc build which is build and not user code. https://github.com/statsmodels/statsmodels/security/code-scanning
the "privately-reporting-a-security-vulnerability" flow doesn't seem to work. Alternatively I could just post a proof of concept exploit here. The maintainers had ample opportunity to react.
Just go ahead and post it.
or send a private email to me and bashtage
the "privately-reporting-a-security-vulnerability" flow doesn't seem to work.
we have not enabled it yet. My question was whether we need or should enable it.
In general, statsmodels is intended for interactive use or automated use. E.g. formula handling by patsy and formulaic use eval. It's the responsibility of the caller not to do anything unsafe.
In statsmodels itself, I think we are not doing anything that can cause security concerns.
Hello 👋
I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@tvnnn) has found a potential issue, which I would be eager to share with you.
Could you add a
SECURITY.md
file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.Looking forward to hearing from you 👍
(cc @huntr-helper)