-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing security policy. Cannot report security bugs and vulnerabilities. #2115
Comments
All I see is an email wanting to disclose some issues, but no issues attached. I haven’t really been involved in the project for a few years, so I‘m guessing Scott is the way to go. Maybe reach out to him on slack or discord? |
yes, that is because before disclosing zero day vulnerabilities, I would
rather first understand what’s the expected process and the designated
contact, but the security reporting is not enabled in the repo.,
We also believe full disclosure, responsible, Just as long as I provide the
vendors with enough time to patch an address the issue.
Please provide the link for your Slack or Discord.
Regards!
|
They’re not mine, they’re ossec‘s. |
Have you tried the contact in the security.txt file? |
Added security policy into github to mirror existing https://www.ossec.net/.well-known/security.txt |
Hi friends,
I've come across a couple of security bugs in OSSEC HIDS that I want to disclose responsibly, but couldn't find out how exactly as there is no specific bug reporting contact or Security policy here on your Github, so I've tried mailing Scott R. Shinn, Dan Parriot and Dominik Lisiak on the matter earlier last month, but haven't got a response.
Could you guide me through the correct way of disclosing this to the team, without publicly disclosing the details?
The text was updated successfully, but these errors were encountered: