Gallopsled
Found a possible security concern
Hey there!
I belong to an open source security research community, and a member (@srikanthprathi) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.
Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
You can send pretty much send a direct email to either me or @heapcrash. Or create a CTF task for fun (see #1732). Not sure what the nature or severity of the issue is; CVE-2020-28468 has been assigned severity = critical, while I believe that a) RCE is extremely unlikely unless GCC preprocessor has some bugs/misfeatures, b) it requires that the victim tries to pwn a rogue service and crafts shellcode with a string based on returned data (rare, if not a bad idea in the first place; using a parsing library without reviewing whether it allows native deserialization is an example of what I call a bad idea). Nevertheless that issue deserved to be fixed, so whatever your one is, it will be fixed as well. Hopefully soon enough.
-- Wysłane z mojego urządzenia Sailfish
@Arusekk - if you prefer, you can view the report directly here:
https://huntr.dev/bounties/2b1f563b-525b-47d9-b85b-44d7da0e74c7/
It is private and only accessible to maintainers with repository write permissions.