NuGetGallery icon indicating copy to clipboard operation
NuGetGallery copied to clipboard
verified publisher icon NuGet

Notify package owners of new vulnerabilities

Open drewgillies opened this issue 4 years ago • 1 comments

Mail blast to owners with vulnerabilities created since last mail blast.

This will require building an API query since last mail blast date and transforming result into added/removed/ranges_severity_changed etc.

Edit by @joelverhagen: an additional tweak on this proposal (great from @Tratcher!) is that we could introduce a verify/approve/correct workflow that gives the author 24 hours to act before we go live on NuGet.org. Example case where this would have helped: https://twitter.com/JamesNK/status/1600844999783903233 (GitHub Advisory DB switched a patched version from 13.0.1 to 13.0.2 for a short period, causing noise).

drewgillies avatar May 24 '21 05:05 drewgillies

Leaving a note here for future purposes:

We should work with GH Advisory DB / Security team to see how they can issue better notifications when an advisory is amended/edited. We should hook into that event to issue emails as well.

JonDouglas avatar Dec 08 '22 23:12 JonDouglas