strapi-plugin-email-designer icon indicating copy to clipboard operation
strapi-plugin-email-designer copied to clipboard

Published 20 hours ago verified publisher icon alexzaganelli

Add a Security Policy

Open Ccamm opened this issue 2 years ago • 5 comments

Feature request

Summary

Add a security policy to this repository to explain how to privately disclose vulnerabilities. I have tried emailing the main contributor (@alexzaganelli) about a security vulnerability, but I haven't received a response yet. I do not know if the email address I sent my report to is used anymore, so it would be great to have clarification of what would be best method of communication for reporting vulnerabilities.

Why is it needed?

It will assist security researchers to privately report vulnerabilities. Professional security researchers want to have security vulnerabilities patched before details are published to inform users of the issue.

Suggested solution(s)

Add a security policy with a method for privately reporting vulnerabilities.

Related issue(s)/PR(s)

N/A

Ccamm avatar Jan 18 '23 04:01 Ccamm

Thank you!! This is your first issue on this repo

github-actions[bot] avatar Jan 18 '23 04:01 github-actions[bot]

@alexzaganelli pinging again because you should do this ASAP and respond to my report (assuming your current email is [email protected]). The vulnerability I want to report is rated critical and everyone who is using this plugin is vulnerable.

Ccamm avatar Jan 21 '23 10:01 Ccamm

Hi @Ccamm, thank you for your contribute. I'll try to do all my best during the next week. As you can imagine this is a plugin that I've written for the community, not for my own business so I need to find a bunch of time to fix this vulnerability.

Thank you again. Alex

alexzaganelli avatar Jan 25 '23 23:01 alexzaganelli

Hi @Ccamm, thank you for your contribute. I'll try to do all my best during the next week. As you can imagine this is a plugin that I've written for the community, not for my own business so I need to find a bunch of time to fix this vulnerability.

Thank you again. Alex

Thanks for the response. I assume that you have seen my report that I sent to [email protected]. Let's communicate via email, since it is a sensitive matter that I don't want to get out.

I will close this issue when a Security Policy is added, since it is needed for future security researchers to privately disclose vulnerabilities.

Ccamm avatar Jan 26 '23 07:01 Ccamm

@Ccamm was this issue resolved?

rrubio avatar Mar 04 '24 02:03 rrubio