Security Disclosure contact

[todb-r7]

Description

Sometimes, people unconnected with the Swagger projects stumble across vulnerabilities, and have some difficulty in disclosing them privately to the correct people. For example, see #3201. We made several attempts to raise a response from individuals over email, as did CERT, but ended up having to disclose to the public tracker with effectively no advance warning.

Note, this is not a theoretical situation. On June 17, 2016, @todb-r7 and @sdavis-r7 have once again tried to report a new vulnearbility (unrelated to #3201) and we appear to be repeating the no-response condition.

Swagger-codegen version

All

Swagger declaration file content or url

N/A

Command line used for generation

N/A

Steps to reproduce

• Find a vulnerability
• Email several aliases and individuals
• Ask CERT to do the same
• Get no response
• Disclose issues publicly.

Related issues

See #3201.

Suggest a Fix

Set up a mail alias, security@swagger.io, where concientious vulnerability reporters can exchange sensitive vulneraiblity information.

[webron]

@todb-r7 - thanks for this, we certainly need to improve the process. Not dismissing your proposal, but looking into the specific reference you've made - I do not see an attempt of contact made on June 17th. Can you contact me in person with the relevant details (including details of how you tried to reach us on that date)?

[fehguy]

Hi this has been done, we have created security@swagger.io. The initial messages you guys sent didn't get to the right people.