libgd icon indicating copy to clipboard operation
libgd copied to clipboard

Published 20 hours ago verified publisher icon libgd

Reporting security vulnerabilites

Open cmb69 opened this issue 11 months ago • 9 comments

If I want to report a security vulnerability (hypothetical!), I go to https://github.com/libgd/libgd/issues/new/choose, click "View policy", and get

security

Confirmation:

https://github.com/libgd/libgd/blob/d9b0f3113dd7f69870359f65e6391e33dfbfbe50/README.md?plain=1#L23

Really?

Can we please enable GH security advisories?

cmb69 avatar Jan 02 '25 00:01 cmb69

we had [email protected] for a while, and it was active a least until 2019. not sure what happened since tbh. our CONTRIBUTING.md document still refers to it.

this also predated any sort of functionality in GH. if GH has direct support for private reports, that sounds fine to me.

at the very least, we should consolidate the 3 places discussing security reports (REAME, CONTRIBUTING, SECURITY) into one (SECURITY).

vapier avatar Jan 02 '25 03:01 vapier

we had [email protected] for a while, and it was active a least until 2019. not sure what happened since tbh. our CONTRIBUTING.md document still refers to it.

Yeah, [email protected] stopped working for me years ago. See #768 (which likely triggered 26a5726794c81397ad6cffc04ba03d8ebff8a2c2 later).

this also predated any sort of functionality in GH. if GH has direct support for private reports, that sounds fine to me.

All open advisories are private, and only the reporter and repo owners have access, but other people can be invited for individual advisories. The question is, are there any repo owners active?

at the very least, we should consolidate the 3 places discussing security reports (REAME, CONTRIBUTING, SECURITY) into one (SECURITY).

Indeed, makes sense. I'll come up with a PR soonish.

cmb69 avatar Jan 02 '25 11:01 cmb69

I'll come up with a PR soonish.

See #926.

cmb69 avatar Jan 02 '25 13:01 cmb69

I just enabled "Private vulnerability reporting". what do you see when you go to the security tab now ?

afaict, it's easy to convert a private report into a public issue, so we don't have to keep reports locked up forever.

vapier avatar Jan 02 '25 17:01 vapier

just enabled "Private vulnerability reporting". what do you see when you go to the security tab now ?

I see a button "Report a vulnerability" (and can click it to edit a new bug report). \o/

cmb69 avatar Jan 02 '25 17:01 cmb69

can you report one as a test ?

somewhat ironically, I don't think I can report a vulnerability, I can only write up a report/advisory

vapier avatar Jan 02 '25 17:01 vapier

I just filed one (see https://github.com/libgd/libgd/security/advisories). I think this is how it's supposed to work. Main point is that these reports are not public (until they are published).

cmb69 avatar Jan 02 '25 18:01 cmb69

your report hit my inbox like any other issue. but looks like i was wrong about converting it to a public issue. you can do that for other things (like Dependabot alerts or Code Scanning reports), but not for vulnerabilities.

I created a "security" team and granted it "Security Manager" access and invited you to it. so hopefully you should get the reports now too. all owners get the reports too, so it isn't just you :).

vapier avatar Jan 02 '25 18:01 vapier

I created a "security" team and granted it "Security Manager" access and invited you to it. so hopefully you should get the reports now too. all owners get the reports too, so it isn't just you :).

I didn't receive an invite notification, but can see more now than before, so I assume I'm already a member of the security team (indeed, I am). Thank you!

cmb69 avatar Jan 02 '25 22:01 cmb69