search

web-auth / webauthn-framework

FIDO-U2F / FIDO2 / Webauthn Framework
MIT License
381 stars 51 forks source link

How/where to report a security issue? #573

Closed reedy closed 3 months ago

reedy commented 4 months ago

Description

I haven't got one to report, but...

https://github.com/web-auth/webauthn-framework/blob/c9e54b7/README.md#L40-L44

If you discover a security vulnerability within the project, please don't use the bug tracker and don't publish it publicly. Instead, all security issues must be sent to security [at] spomky-labs.com.

But if you go to https://github.com/web-auth/webauthn-framework/issues/new/choose "Report a security vulnerability" is also enabled. Are both valid? Or should people be using one or the other? Can it be clarified in the Readme? :)

https://github.com/web-auth/webauthn-framework/blob/c9e54b7/SECURITY.md similarly suggests to email, not mentioning the GitHub form

Spomky commented 4 months ago

Hello @reedy,

Than you for pointing this out. I will update those pages. You can use the GH Security Advisories.

Spomky commented 3 months ago

Hi,

I modified the README page accordingly. Also, the documentation is up to date and lead to the same page.

Regards.

github-actions[bot] commented 2 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.