Missing security policy. Cannot report security bugs and vulnerabilities. #2115
Assignees
Comments
|
All I see is an email wanting to disclose some issues, but no issues attached. I haven’t really been involved in the project for a few years, so I‘m guessing Scott is the way to go. Maybe reach out to him on slack or discord? |
|
yes, that is because before disclosing zero day vulnerabilities, I would
rather first understand what’s the expected process and the designated
contact, but the security reporting is not enabled in the repo.,
We also believe full disclosure, responsible, Just as long as I provide the
vendors with enough time to patch an address the issue.
Please provide the link for your Slack or Discord.
Regards!
|
|
They’re not mine, they’re ossec‘s. |
|
Have you tried the contact in the security.txt file? |
|
Added security policy into github to mirror existing https://www.ossec.net/.well-known/security.txt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi friends,
I've come across a couple of security bugs in OSSEC HIDS that I want to disclose responsibly, but couldn't find out how exactly as there is no specific bug reporting contact or Security policy here on your Github, so I've tried mailing Scott R. Shinn, Dan Parriot and Dominik Lisiak on the matter earlier last month, but haven't got a response.
Could you guide me through the correct way of disclosing this to the team, without publicly disclosing the details?
The text was updated successfully, but these errors were encountered: