gun icon indicating copy to clipboard operation
gun copied to clipboard
verified publisher icon amark

Who to contact for security issues

Open zidingz opened this issue 4 years ago • 6 comments

Hey there!

I belong to an open source security research community, and a member (@shellinjector) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

zidingz avatar Nov 13 '21 05:11 zidingz

@zidingz @huntr-helper thanks! I'll be on in an hour or so, and will check this out. Thank you!

amark avatar Nov 13 '21 20:11 amark

There are many ways to reach Mark Nadal You could either:

  1. Contact him via email [email protected] (can be verified by looking at his github page)
  2. Reach to him via gitter he's answering there probably on a daily basis https://gitter.im/amark/gun / chat.gun.eco (verifyable on the readmy or at the website)

Edit: Or just ignore my comment since he already answerd here 😅

CodingBitsDev avatar Nov 13 '21 20:11 CodingBitsDev

@zidingz @ShellInjector @huntr-helper (I assume one of you is @4mgh0z_twitter ?) security report is valid!

Everyone else: Heroku is doing something I was not expecting, I hope other deploys (docker/vercel/etc.) do not do this too, but haven't checked yet (will ^^ @zidingz also check, I'm won't be back for another hour or so). So everyone running a relay peer, beware! Please alert each other, or message @4mgh0z_twitter meanwhile.

amark avatar Nov 13 '21 20:11 amark

Yes! it's me Thanks for the information ! i hope you can validate the report on the platform.

ShellInjector avatar Nov 13 '21 20:11 ShellInjector

Update: No other NodeJS peer I've inspected has this issue.

So far, it seems isolated only to my gunjs.heroku machine, but I still do not know why

(conversation happening in the private bug/bounty report tool)

It seems like some build step (tho I have none) is misplacing sensitive files into the app's folder, these files do not exist in GUN's repo, and I do not know where they are coming from or what is generating them.

And again, for everyone else: it does not seem like any other deploy or heroku is doing this - maybe it is my email configuration, I will look into that.

amark avatar Nov 14 '21 01:11 amark

Wierd! anyway i hope you will fix this ASAP!

ShellInjector avatar Nov 15 '21 09:11 ShellInjector