libbw64 icon indicating copy to clipboard operation
libbw64 copied to clipboard

Published 20 hours ago verified publisher icon ebu

Preferred way to report vulnerabilities?

Open dbrumley opened this issue 3 years ago • 5 comments

Do you have a preferred way to (responsibly) report possible security vulnerabilities in this library?

dbrumley avatar Oct 12 '21 02:10 dbrumley

Hi,

We don't have a well-defined way; I've been trying to figure it out but it's taking some time.

Until then, you could email me at thomas.nixon at bbc.co.uk. Hopefully this comment will have a member badge showing that I'm a reasonable point of contact.

Otherwise you could try the EBU vulnerability disclosure form, perhaps mentioning me as a point-of-contact so it gets to the right place: https://www.ebu.ch/about/contact-us/vulnerability-disclosure

Thanks for your patience.

tomjnixon avatar Oct 13 '21 14:10 tomjnixon

~OK, apparently member badges are not publicly visible; please use the form I linked.~ Found the setting to turn it on.

tomjnixon avatar Oct 13 '21 14:10 tomjnixon

Will do! I also emailed Benjamin Weiss as he is listed as a contributor. (Potentially an issue on my side; I didn't verify how active he is.)

Thanks for getting back to me! I'll report, and leave it to you to decide if a vuln. If so, I'd like to pursue a CVE just because I'm a small business, and it helps a bit to have such things.

Thank you!

dbrumley avatar Oct 13 '21 15:10 dbrumley

Great. Unfortunately IRT no longer exists so he may not get your message, or may not have time to act on it.

tomjnixon avatar Oct 13 '21 15:10 tomjnixon

No worries.

Github seems to have this Security tab now; not sure how to configure it. Might be something (if you have admin access to repo) that you could configure.

I filled out the form.

Thanks!

David

Dr. David Brumley

CEO Executive Assistant: Teressa Peirona < @.*** >

On Wed, Oct 13, 2021 at 11:08 AM, Thomas Nixon < @.*** > wrote:

Great. Unfortunately IRT no longer exists so he may not get your message, or may not have time to act on it.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub ( https://github.com/ebu/libbw64/issues/22#issuecomment-942401474 ) , or unsubscribe ( https://github.com/notifications/unsubscribe-auth/AAWWRV65EH6GAM637PU277LUGWOGVANCNFSM5FZN226Q ). Triage notifications on the go with GitHub Mobile for iOS ( https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 ) or Android ( https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub ).

dbrumley avatar Oct 13 '21 15:10 dbrumley