Trying to get in touch regarding a security issue #229
Comments
|
@JamieSlome, hey, thank you for reaching out! Please send details of security related issue to email surrender@evilmartians.com with topic containing "Lefthook” and we will take care of it. Later we will figure out proper contact details, I will keep this issue open for now. |
|
We have received the email with details, looking into issue right now. Thank you! |
|
this ticket still being open implies there's an unaddressed security issue for ~10 months. I assume that's not actually the case. |
|
This ticket is open only because we haven't declared a way to send security-related reports to us. Thanks for the heads up! I investigated this initial security issue and it seems to be unsolvable because Lefthook by design executes arbitrary commands from its config file. If you don't trust some repository, don't use lefthook in it. If you have any additional thoughts, feel free to comment! |
|
@Envek - just an idea, but you could always point to: |
Hey there!
I'd like to report a security issue but cannot find contact instructions on your repository.
If not a hassle, might you kindly add a
SECURITY.mdfile with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
The text was updated successfully, but these errors were encountered: