Comment by xena

Comment by xena 4 days ago

[dead]

tptacek 4 days ago

You needed to have a security contact on your website, or at least in the repo. You did not. You assumed security researchers would instead back out to your Github account's repository list, find the .github repository, and look for a security policy there. That's not a thing!

I'm really surprised you wrote this.

Reply View 2 replies

qualeed 4 days ago

>I'm really surprised you wrote this.
I agree with the rest of your comment, but this seems like a weird little jab to add on for no particular reason. Am I misinterpreting?

Reply View | 1 reply
- tptacek 4 days ago
  
  No, there's some background context I'm not sharing, but it's not interesting. I didn't mean to be cryptic, but, obviously, I managed to be cryptic. I promise you're not missing anything.
  
  Reply View | 0 replies

withinrafael 4 days ago

The security policy that didn't exist until a few hours ago?

Reply View 3 replies

david_allison 4 days ago

Added on March 18: https://github.com/TecharoHQ/.github/commits/main/SECURITY.m...
Copied to the root of the repo after the disclosure
ref: https://github.com/TecharoHQ/anubis/issues/1002#issuecomment...

Reply View | 2 replies
- withinrafael 4 days ago
  
  Adding a security policy to an unrelated repository is easily missed and questionably applicable.
  
  Reply View | 0 replies
- Borgz 4 days ago
  
  In a different repository, though. I think it's understandable that someone would miss it.
  
  Reply View | 0 replies