Vulnerability reporting procedure #1729
Comments
|
I agree something should be done about this, apparently Github now has a feature to contact project maintainers securely/directly in case of a vuln? Idk much about it tho... |
|
I wasn't aware of that. But it looks like a great option! Link to the docs for posterity; |
|
It appears pretty easy to setup. But it would need to be done by someone with admin privileges. |
|
Well, @hathach seems to be taking a break for now, but I imagine he'll be back soon. Thanks for the link, since I completely forgot other than hearing about the new feature thirdhand :D! |
|
Yeah, I've emailed @hathach directly with directly with details of the vulnerability that I found. Got a reply mentioning that he was keen to take a look, but is currently away from his computer. I don't think there is any need to rush into getting it fixed :). Though it would be nice to get a fix together in the next couple of weeks. |
|
just be back to my PC, will check this out in this week or so. Thank you for the issue/pr. |
|
this should be fixed by #1789, thank you @silvergasp very much for bringing this up and also making effort to add fuzzer as well and pr to integrate tinyusb to google fuzzing. |
Related area
Security/vulnerability reporting
Hardware specification
N/A
Is your feature request related to a problem?
I think I've found a security vulnerability, but I don't want to publicly describe the problem on a GitHub issue until the problem is fixed. Having a security problem published publicly would open people up to attack.
Describe the solution you'd like
I'd like some procedures to be in place to;
NOTE: There are some templates on the links above which offer a good starting point.
I have checked existing issues, dicussion and documentation
The text was updated successfully, but these errors were encountered: