freeeflyer
commented
3 years ago There is an issue tracker on github for such reports. So I don't feel like it's necessary to add this file.
Open zidingz opened 3 years ago
freeeflyer
commented
3 years ago There is an issue tracker on github for such reports. So I don't feel like it's necessary to add this file.
geeknik
commented
2 years ago In that case, here are a couple of issues we reported via the open source security platform huntr.dev:
local denial of service using crafted html to crash aha: https://huntr.dev/bounties/d0e7cef2-25b9-45dd-8dbd-acee6571f1a3/
local denial of service using crafted html to crash aha: https://huntr.dev/bounties/8c4e2c18-53bf-4e7d-a74b-4219ae17b78a/
While the "crafted html" doesn't necessarily look like html, the inclusion of these strings into a valid html file would be enough to trigger the reported issues. In the case of the above links, all that is needed is for you to confirm the issues exist, then huntr.dev will pay me a bounty for reporting the issues and then pay you (or whomever submits the patch) a bounty for fixing the issues.
Thank you.
"We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on. It is one of the most important things we can do." - Jim Zemlin
suve
commented
2 years ago Hi @geeknik, can I ask you to disclose the vulnerabilities to me via e-mail (or some other method you prefer)?
I cannot see the reports on huntr, since I am not formally a maintainer of this repo. I have, however, contibuted before and I also maintain the aha package in Fedora Linux.
A simple instruction for security researchers.