Security vulnerability #892
Comments
|
I deal with all bug reports publicly and transparently. Please post the report here like any other bug report. |
|
David, please go to miniaudio Security Policy and provide the necessary information. Then be prepared to handle vulnerability reports. Exploitable security defects are not the same as bugs. Dealing with them in public leaves all users of products based on a vulnerable release exposed to exploits. There are safe practices for not identifying such defects even when a commit is made that includes elimination of a vulnerability. Resolution and all discussions are in secret until a repair is made. Then people are warned to use the updated release along with minimal discussion of the nature of the vulnerability. This should not be new news. You might be aware that when GitHub recognizes a likely security flaw, typically from a dependency but also from their own scans, they always report privately and do not do anything in public. @CiscoTalos |
|
I realize I need to follow my own advice, including providing a security policy that specifies there is no exploit handling/reporting on repositories where there are no public releases and any code is unsupported while being experimental/provisional and not for a stable release. Since I'm not accepting pushes, these are low-security situations. @CiscoTalos |
|
===Practice What I Preach Department=== I started setting security policies for all of my repositories. |
Dear David
We are trying to reach you to submit a vulnerability report for MiniAudio. So far we have sent emails to the listed @gmail address. Please get back to us.
Best,
Martin
Cisco Talos
The text was updated successfully, but these errors were encountered: