objection.js
objection.js copied to clipboard
Vincit
How to report a security issue?
Can you help me please to disclose potential security issue in a right way? I was trying to reach @koskimas via email as they seems to be the most active contributor to the project, but did'n heard back.
Additionally can I suggest adding a security policy to the repository to help other security researchers reach out to you properly.
If you are about to report a prototype pollution vulnerability that can ONLY be exploited by importing an internal function and using it in a specific way, don't bother with your report.
If you actually have a POC that uses the PUBLIC API of objection, and is an actual feasible attack that can actually be used, then I'll answer your email and happily fix the issue. Remember, you need to have POC that shows the attack can be carried out through code written by an actual human being. Nobody imports internal private functions from libraries and uses them.
I take security issues very seriously, but I've recently wasted an enormous amount of my time answering issues and contacting various authorities about reported vulnerabilities that are not actually exploitable.
These are usually reported by people that get money through sites like huntr and the like. These prototype pollution "vulnerabilities" can be found using bots and are trivial to fix and often impossible to exploit, and the reporters get money for finding and fixing them 🤷
People like this are NOT improving the security of OSS projects. They are wasting everyones time and by doing that, turn people away from open source.
It is not a prototype pollution, POC is attached in the email and uses only public documented API of the library.
Hi, I just wanted to check if you found the email I sent? If so, I think we can close this issue?
Is there any chance you were able to verify the issue? Can I help you somehow?