Create SECURITY.md #1719
Create SECURITY.md #1719
Conversation
|
SECURITY.md
Outdated
| ## Reporting a Vulnerability | ||
|
|
||
| Please do not report security vulnerabilities through public GitHub issues. | ||
| Instead, please report them to our GitHub Security page. If you prefer to submit one without using GitHub, you can also email us at security@rrweb.io. |
There was a problem hiding this comment.
@Juice10 would that email route anywhere?
i'd guess it's better not to have an email route published since then someone needs to monitor that inbox
There was a problem hiding this comment.
we've set up a new private google group for this which will also email members of the core team directly
There was a problem hiding this comment.
( @YunFeng0817 has edited this PR from security@rrweb.io to rrweb-security@googlegroups.com )
There was a problem hiding this comment.
@pauldambra, @eoghanmurray - Thanks for merging it!
Could you also consider enabling the vulnerability report feature to allow private vulnerability reports directly via GitHub?
This is where you can find this config:
Co-authored-by: Paul D'Ambra <paul.dambra@gmail.com>
mention the google group is private
formatting
At the moment, there's no documentation on how to report security vulnerabilities to rrweb-io on the rrewb project.
Please review my suggestion, make edits if needed, and provide security researchers a responsible way to report security vulnerabilities in this widely used project.