intel
Reporting a vulnerability
Hello!
I hope you are doing well!
We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.
Can you enable it, so that we can report it?
Thanks in advance!
PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Hi @igibek , we are working to see about turning on Private vulnerability reporting for potential future use.
For now, you can find guidelines/steps to report this issue privately at https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html. This report will be provided to us and we can work with you further on resolving it.
Thanks for reaching out!
@stdale-intel as I understand there's still no possibility to report the private vulnerability, right?
Hi! There have been no updates for at least the last 60 days, though the issue has assignee(s).
@stdale-intel, could you please take one of the following actions:
- provide an update if you have any
- unassign yourself if you're not looking / going to look into this issue
- mark this issue with the 'confirmed' label if you have confirmed the problem/request and our team should work on it
- close the issue if it has been resolved
- take any other suitable action.
Thanks!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi! There have been no updates for at least the last 60 days, though the issue has assignee(s).
@stdale-intel, could you please take one of the following actions:
- provide an update if you have any
- unassign yourself if you're not looking / going to look into this issue
- mark this issue with the 'confirmed' label if you have confirmed the problem/request and our team should work on it
- close the issue if it has been resolved
- take any other suitable action.
Thanks!
Hi! There have been no updates for at least the last 60 days, though the issue has assignee(s).
@stdale-intel, could you please take one of the following actions:
- provide an update if you have any
- unassign yourself if you're not looking / going to look into this issue
- mark this issue with the 'confirmed' label if you have confirmed the problem/request and our team should work on it
- close the issue if it has been resolved
- take any other suitable action.
Thanks!
Hi! There have been no updates for at least the last 60 days, though the issue has assignee(s).
@stdale-intel, could you please take one of the following actions:
- provide an update if you have any
- unassign yourself if you're not looking / going to look into this issue
- mark this issue with the 'confirmed' label if you have confirmed the problem/request and our team should work on it
- close the issue if it has been resolved
- take any other suitable action.
Thanks!
This topic was recently re-evaluated and apparently we (Intel) prefer all security issues reported through a single channel. Therefore, we won't be enabling private vulnerability reporting on GitHub. Our security policy was updated in #16559 to clarify how security issues should be reported.
I will close this issue, but feel free to comment/re-open if you have subsequent questions/concerns.
