Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create SECURITY.md #88

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Create SECURITY.md #88

wants to merge 1 commit into from

Conversation

zidingz
Copy link

@zidingz zidingz commented Oct 11, 2021

A simple instruction for security researchers.

A simple instruction for security researchers.
@freeeflyer
Copy link

freeeflyer commented Oct 12, 2021

There is an issue tracker on github for such reports. So I don't feel like it's necessary to add this file.

@geeknik
Copy link

geeknik commented Nov 25, 2021

In that case, here are a couple of issues we reported via the open source security platform huntr.dev:

local denial of service using crafted html to crash aha:
https://huntr.dev/bounties/d0e7cef2-25b9-45dd-8dbd-acee6571f1a3/

local denial of service using crafted html to crash aha:
https://huntr.dev/bounties/8c4e2c18-53bf-4e7d-a74b-4219ae17b78a/

While the "crafted html" doesn't necessarily look like html, the inclusion of these strings into a valid html file would be enough to trigger the reported issues. In the case of the above links, all that is needed is for you to confirm the issues exist, then huntr.dev will pay me a bounty for reporting the issues and then pay you (or whomever submits the patch) a bounty for fixing the issues.

Thank you.

"We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on. It is one of the most important things we can do." - Jim Zemlin

@suve
Copy link
Contributor

suve commented Jun 9, 2022

Hi @geeknik, can I ask you to disclose the vulnerabilities to me via e-mail (or some other method you prefer)?

I cannot see the reports on huntr, since I am not formally a maintainer of this repo. I have, however, contibuted before and I also maintain the aha package in Fedora Linux.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants