miniaudio icon indicating copy to clipboard operation
miniaudio copied to clipboard
verified publisher icon mackron

Security vulnerability

Open CiscoTalos opened this issue 1 year ago • 4 comments

Dear David

We are trying to reach you to submit a vulnerability report for MiniAudio. So far we have sent emails to the listed @gmail address. Please get back to us.

Best,

Martin Cisco Talos

CiscoTalos avatar Sep 03 '24 07:09 CiscoTalos

I deal with all bug reports publicly and transparently. Please post the report here like any other bug report.

mackron avatar Sep 03 '24 23:09 mackron

David, please go to miniaudio Security Policy and provide the necessary information. Then be prepared to handle vulnerability reports.   Details

Exploitable security defects are not the same as bugs. Dealing with them in public leaves all users of products based on a vulnerable release exposed to exploits.

There are safe practices for not identifying such defects even when a commit is made that includes elimination of a vulnerability. Resolution and all discussions are in secret until a repair is made. Then people are warned to use the updated release along with minimal discussion of the nature of the vulnerability.

This should not be new news.

You might be aware that when GitHub recognizes a likely security flaw, typically from a dependency but also from their own scans, they always report privately and do not do anything in public.

@CiscoTalos I am a little startled that anyone from Cisco Talos even made a public notification by creating this issue, no matter how difficult it is to get your private attention.

orcmid avatar Sep 04 '24 03:09 orcmid

I realize I need to follow my own advice, including providing a security policy that specifies there is no exploit handling/reporting on repositories where there are no public releases and any code is unsupported while being experimental/provisional and not for a stable release. Since I'm not accepting pushes, these are low-security situations.

@CiscoTalos There is also GitHub advice on how to arrange a secure conversation when there is no security policy or vulnerability-reporting provision on a repository.

See Privately reporting a security vulnerability.

orcmid avatar Sep 04 '24 18:09 orcmid

===Practice What I Preach Department===

I started setting security policies for all of my repositories.
This one is typical. You might want something even simpler. I would setup the notification mechanism just in case.

orcmid avatar Sep 04 '24 19:09 orcmid

This is fixed in 0.11.22. It was from dr_flac which I amalgamate into miniaudio using a tool. dr_flac has also been fixed.

mackron avatar Feb 24 '25 06:02 mackron