|
| 1 | +# Security Guidelines |
| 2 | + |
| 3 | +Please contact us directly at **[email protected]** for any bug that might |
| 4 | +impact the security of this project. Please prefix the subject of your email |
| 5 | +with `[security]` in lowercase and square brackets. Our email filters will |
| 6 | +automatically prevent these messages from being moved to our spam box. All |
| 7 | +emails that do not include security vulnerabilities will be removed and blocked |
| 8 | +instantly. |
| 9 | + |
| 10 | +In addition to a dedicated email address to receive security related reports, |
| 11 | +we also have a [Hacker1 account][hacker1] that can be used be used for |
| 12 | +communicating security related issues. |
| 13 | + |
| 14 | +You will receive an acknowledgement of your report within **24 hours** of |
| 15 | +notification. |
| 16 | + |
| 17 | +## Exceptions |
| 18 | + |
| 19 | +If you do not receive an acknowledgement within the said time frame please give |
| 20 | +us the benefit of the doubt as it's possible that we haven't seen it yet. In |
| 21 | +this case please send us a message **without details** using one of the |
| 22 | +following methods: |
| 23 | + |
| 24 | +- Give a poke on Twitter [@3rdEden](https://twitter.com/3rdEden) |
| 25 | +- Contact the lead developers of this project on their personal e-mails. You |
| 26 | + can find the e-mails in the git logs, for example using the following command: |
| 27 | + `git --no-pager show -s --format='%an <%ae>' <gitsha>` where `<gitsha>` is the |
| 28 | + SHA1 of their latest commit in the project. |
| 29 | + |
| 30 | +Once we have acknowledged receipt of your report and confirmed the bug |
| 31 | +ourselves we will work with you to fix the vulnerability and publicly |
| 32 | +acknowledge your responsible disclosure, if you wish. |
| 33 | + |
| 34 | +## History |
| 35 | + |
| 36 | +> url-parse returns wrong hostname which leads to multiple vulnerabilities such |
| 37 | +> as SSRF, Open Redirect, Bypass Authentication Protocol. |
| 38 | +
|
| 39 | +- Hacker1 report: https://hackerone.com/reports/384029 |
| 40 | +- Reported by [lolwaleet](https://hackerone.com/lolwalee) |
| 41 | +- Triaged by [Liran Tal](https://hackerone.com/lirantal) |
| 42 | +- Fixed in: 1.4.3 |
| 43 | + |
| 44 | +--- |
| 45 | + |
| 46 | +[twitter]: https://twitter.com/3rdEden |
| 47 | +[hacker1]: https://hackerone.com/3rdeden |
0 commit comments