Security Contact Doesn't Exist #275
Comments
|
Please open an issue so that we can check and fix. |
|
On the security section of the repo https://github.com/aspirepress/aspireupdate/security/advisories |
|
What we were linking to before was the security section of the rep. It says to send an email to address that isn’t set up. So do you mean using the form that the “Report a vulnerability” button on the page you linked to? We can do that, but that takes you to a page for writing an advisory, which isn’t quite relevant for reporting an issue. That seems like a not great design choice by GitHub. |
|
Totally agree that the security policy needs to be updated since the email address doesn't exist. With regards to the "Report a vulnerability" button and this relating to advisories, that's indeed the intent by GitHub when used in conjunction with the "Private vulnerability reporting" option (Ref) where for example, an advisory may be created but wouldn't be published publicly until after the issue has been accepted and the fix has been released. |
|
For the sake of handling the security policy change for the AspireUpdate repository, I'll reopen this issue and attach a PR to it for consideration. |
|
@PluginVulnerabilities Please open an issue and disclose the vulnerability. |
A week ago, we tried to report the minor security issues we found in the plugin through a security review. The response we got back to the email sent to the email address mentioned on your security page was that the email address didn't exist. We then used the contact form on the project's website to try to alert you to that issue. We haven't received a response to that. We just tried the email address again, and it still doesn't exist. The issues are minor, so it wouldn't be a risk to file an issue for them, but is there an alternative security contact or can the listed one be set up?
The text was updated successfully, but these errors were encountered: