Looking for private communication channel

[das7pad]

Hello,

I would like to report a potential vulnerability in the fetch spec. Is there a private email list or an internal issue tracker that I can submit the details to?

Thanks in advance and happy new year!

[ljharb]

In the web's fetch spec, or in wintercg's?

[benjamingr]

If it's in Node.js - https://hackerone.com/nodejs?type=team If it's in CloudFlare - https://hackerone.com/cloudflare If it's in Deno - https://deno.com/deploy/docs/security

[das7pad]

Thanks for the comments!

In the web's fetch spec, or in wintercg's?

In the web's fetch spec: https://fetch.spec.whatwg.org/

---

If it's in ...

I was referred here (and to https://github.com/whatwg/fetch/issues/1583) by a large vendor after reporting a finding in their fetch implementation. Other implementations are affected as well. They are following the fetch spec and the suggested mitigation is not part of the spec, which is why this needs to be addressed in the spec or get approved by the wider community. I do not want to talk more about this in public. Can we move this conversation to a private email thread please?

[ljharb]

This repo isn’t the main fetch spec - that’s in whatwg. WinterCG is for web-interoperable runtimes, like node and deno and so forth, to adapt web specs for non-browser environments.

[ThisIsMissEm]

Given it's the new year, it might take people a few days to get back to you over on the whatwg/fetch repository, if no one replies, perhaps try the information at https://wiki.whatwg.org/wiki/Reviewing

[benjamingr]

Hey I reached out to some people working on the fetch spec in private - if you email me at benjamingr@gmail.com I will connect you to some people working on it at the relevant capacity.

Please do not send me the disclosure itself, just a "hi" so I can connect you :]

[das7pad]

Thanks all. I've dropped you a message @benjamingr.

---

For future reference regarding https://wiki.whatwg.org/wiki/Reviewing

• Links to https://lists.whatwg.org/#specs, which is an archive only:

  The WHATWG mailing lists are no longer active. Archive A static archive of the whatwg@whatwg.org mailing list 2004-2019 is available, ...

• Links to a BugZilla instance, which is also inactive:

  W3C's public bugzilla issue tracker was decommissioned on April 1, 2019.

[noamr]

We reviewed this at Chromium and it's not considered a security issue in the context of Chromium (leaving it to deno/node peeps to decide if it's a security issue in that context). Thanks @benjamingr for connecting, and feel free to reach out next time by opening a chrome restricted security bug.

[lucacasonato]

@das7pad Can you email me at luca@deno.com with the details of the issue?