Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to get in touch regarding a security concern #1195

Closed
JamieSlome opened this issue Feb 2, 2022 · 3 comments
Closed

How to get in touch regarding a security concern #1195

JamieSlome opened this issue Feb 2, 2022 · 3 comments

Comments

@JamieSlome
Copy link

Hey there!

I belong to an open source security research community, and a member (@Sampaguitas) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

@Sampaguitas
Copy link

Sampaguitas commented Oct 25, 2023

Hey there,

I tried to get in touch with the developers to disclose a prototype pollution vulnerability in your sequelize-typescript npm package two years ago but never got a reply.

The latest version as of your npm package (2.5.1) is still vulnerable.

Here is the link to the security report posted on huntr.com platform

I would appreciate if you validate it, a patch is also available to fix the vulnerability.

notes: this report is private and can only be viewed by maintainers of the project.

@WikiRik
Copy link
Member

WikiRik commented Oct 25, 2023

Thanks for sending another message. We've received it and will look into this issue. We will be giving updates on the huntr platform as well

@Sampaguitas
Copy link

Thank you Rik

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants