Open DubyaDude opened 1 month ago
regalialong
commented
3 weeks ago Even without in-app handling, enabling private vulnerability reporting and adding a SECURITY.md would be a nice start in order to give a clear path on how to report found vulnerabilities.
DubyaDude
commented
3 weeks ago I believe that would be a separate issue, this is primarily for the API I'm developing for us to be able to display security advisories in-app.
regalialong
commented
3 weeks ago I'll go fork that off into another issue then.
While the VRChat staff team has been amazingly cooperative and fast with our requests to have older versions blocked, it shouldn't be something we should depend on. That was our only real option in that case since we don't have any sort of security alerts or kill switches of our own.
While I'm not the biggest fan of doing full kill switches unless it's the only remaining option, utilizing GitHub Security Advisories could be nice to add to our API and add handling within VRCX.