Hi! I'm Diogo and I'm back (see #216) hoping to offer a bit more help with security enhancements.
This time I'm here to suggest that you expose a way that users can report eventual sensitive vulnerabilities in a safe and efficient way. This is usually done through a Security Policy, which is a GitHub standard document (SECURITY.md) added on the root of the repo and that will be visible to the users in the "Security Tab", as you can see bellow:
I see that this was already mentioned on the issue #161, where you pointed how would be the best way to reach you and confidentially report any sensitive problem. The idea here would be basically export your answers to a security policy, which is the default place for that and would make the information easier to find. Having this Security Policy would have made it easier and safer to repor that vulnerability. It is also a recommendation from Github itself, and from Scorecard (being a security measure of medium priority).
Aiming to make this change easier, I'll take the liberty and submit a draft of a Security Policy as a PR. Please feel free to edit it directly or ask me for editions until it is in compliance with how python-rsa would best handle vulnerability reports.
Hi! I'm Diogo and I'm back (see #216) hoping to offer a bit more help with security enhancements.
This time I'm here to suggest that you expose a way that users can report eventual sensitive vulnerabilities in a safe and efficient way. This is usually done through a Security Policy, which is a GitHub standard document (SECURITY.md) added on the root of the repo and that will be visible to the users in the "Security Tab", as you can see bellow:
I see that this was already mentioned on the issue #161, where you pointed how would be the best way to reach you and confidentially report any sensitive problem. The idea here would be basically export your answers to a security policy, which is the default place for that and would make the information easier to find. Having this Security Policy would have made it easier and safer to repor that vulnerability. It is also a recommendation from Github itself, and from Scorecard (being a security measure of medium priority).
Aiming to make this change easier, I'll take the liberty and submit a draft of a Security Policy as a PR. Please feel free to edit it directly or ask me for editions until it is in compliance with how python-rsa would best handle vulnerability reports.