tornado icon indicating copy to clipboard operation
tornado copied to clipboard
verified publisher icon tornadoweb

Add security process documentation

Open JamieSlome opened this issue 3 years ago • 4 comments

Hey there!

I belong to an open source security research community, and a member (@ranjit-git) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

JamieSlome avatar Jan 16 '22 09:01 JamieSlome

I'll look into setting up something more formal, but for now my email address is in nearly every merge commit in this repo.

bdarnell avatar Jan 16 '22 18:01 bdarnell

@bdarnell - great, thanks - I will get an e-mail sent over to you now.

Alternatively, you can view the report directly here: https://huntr.dev/bounties/c7e79096-39be-44b6-a038-119ec4062ea1/

It is private and only accessible to maintainers with repository write permissions.

JamieSlome avatar Feb 27 '22 08:02 JamieSlome

Can you disclose some information? which versions are affected? how critical is it? what kind of vulnerability is it?

spaceone avatar Apr 04 '22 21:04 spaceone

It was a duplicate of #2458. I'm keeping this open to remind me to come up with some sort of documented security process.

bdarnell avatar Apr 05 '22 03:04 bdarnell