search

todogroup / gh-issues

A curated set of issues related to GitHub and running corporate scale open source
http://todogroup.org
25 stars 4 forks source link

Reporting CVEs to projects #52

Closed hyandell closed 5 years ago

hyandell commented 6 years ago

I'd like a process to report security issues to projects, and to have security issues reported to my organization, without having to do it in public. I suspect this comes down to private issues (i.e. only the requester and anyone with Write permission can read the issue).

Ideally the same would hold for pull requests; which would help with projects who don't have issues turned on.

caniszczyk commented 6 years ago

It would be nice to have something built into GitHub or just the ability to make private issues.

We are currently evaluating some external services like hackerone for CVE coordination.

caniszczyk commented 6 years ago

this has come up again today, would be nice :)

Dor1s commented 5 years ago

+1, private issues would be super helpful

jeffmcaffer commented 5 years ago

Does the new Maintainer Security Advisories address this?

caniszczyk commented 5 years ago

yep

caniszczyk commented 5 years ago

wfm