devise icon indicating copy to clipboard operation
devise copied to clipboard
verified publisher icon heartcombo

Not possible to reach maintainers to discuss possible security vulnerability

Open ghost opened this issue 5 years ago • 8 comments

Current behavior

I have emailed [email protected] (the 23rd of December 2020) with questions regarding a possible security vulnerability in an extension of Devise but haven't received a response yet. Is the contact information for security problems up-to-date? How can I get in touch with maintainers? (I have received a response from the extension maintainer but would still want a comment from Devise maintainers.)

Expected behavior

I would expect a response - at least a negative one like "sorry we don't want to discuss the security in extensions not part of this GitHub project". Please double-check that active maintainers have access to the [email protected] Google Groups group. It would be great to have a security policy as well in this repo so it's easier to find contact information.

ghost avatar Jan 11 '21 11:01 ghost

@LabanSkollerDefensify My apologies, I don't believe I'm receiving anything that's being sent to [email protected], I'll investigate how that was setup when we moved to the heartcombo org. I'm also also gonna review references to that and the security information in the readme, make sure it's all up-to-date.

Generally speaking, if the security issue is part of an extension, they'd be responsible to work with you in fixing and releasing an updated version without the need for Devise to intervene, but I'd be happy to discuss it via email and help if I can. Please feel free to reach me out directly at carlosantoniodasilva at gmail. Appreciate your work here to submit this issue.

carlosantoniodasilva avatar Jan 11 '21 11:01 carlosantoniodasilva

Thank you, Carlos! I've now included the new email address in the conversation.

ghost avatar Jan 11 '21 12:01 ghost

By the way, if you update the README to reflect a new contact for security issues, please don't forget to also update the issue template where the heartcombo email address is also included.

ghost avatar Jan 11 '21 12:01 ghost

@carlosantoniodasilva, can you please confirm that you received the email I sent you? I copied the address from your profile so it should be the correct address. But you never know with the Spam folder and so on...

ghost avatar Jan 13 '21 13:01 ghost

@LabanSkollerDefensify my apologies, yes I did receive the email, I should've ack'd there at least, even though I haven't been able to respond yet.

carlosantoniodasilva avatar Jan 13 '21 13:01 carlosantoniodasilva

Ok. Thanks for the confirmation!

ghost avatar Jan 13 '21 13:01 ghost

Seems resolved to me. Recommend Close.

evolve2k avatar Aug 26 '21 02:08 evolve2k

Hey guys!

Similar issue, I sent an email on the 7th December 2023 to [email protected] and haven't received a response yet, would you like me to try another channel?

DimitriosLisenko avatar Jan 03 '24 11:01 DimitriosLisenko