[vim/vim] Add security policy (PR #12687)

12 views
Skip to first unread message

Santos Gallegos

unread,
Jul 18, 2023, 9:57:48 PM7/18/23
to vim/vim, Subscribed

Currently, it is hard to find where to report security issues, the only mention of it is in the issue template.

https://github.com/vim/vim/blob/4c0089d696b8d1d5dc40568f25ea5738fa5bbffb/.github/ISSUE_TEMPLATE/bug_report.yml?plain=1#L12-L15

Adding a SECURITY.md file will make it easier to find, it will be displayed in https://github.com/vim/vim/security.

BTW, I just reported one in huntr.dev :)

You can view, comment on, or merge this pull request online at:

  https://github.com/vim/vim/pull/12687

Commit Summary

File Changes

(1 file)

Patch Links:


Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687@github.com>

Christian Brabandt

unread,
Aug 9, 2023, 11:08:40 AM8/9/23
to vim/vim, Subscribed

I have a question: If one uses huntr.dev, is the issue directly disclosed to the public or is it only made available to the repository members?


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687/c1671593010@github.com>

codecov[bot]

unread,
Aug 9, 2023, 12:41:54 PM8/9/23
to vim/vim, Subscribed

Codecov Report

Merging #12687 (fa88aa9) into master (4c0089d) will increase coverage by 0.63%.
Report is 17 commits behind head on master.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master   #12687      +/-   ##
==========================================
+ Coverage   82.09%   82.73%   +0.63%     
==========================================
  Files         160      150      -10     
  Lines      193683   180569   -13114     
  Branches    43493    40589    -2904     
==========================================
- Hits       159005   149387    -9618     
+ Misses      21833    18228    -3605     
- Partials    12845    12954     +109
Flag Coverage Δ
huge-clang-none 82.73% <ø> (-0.02%) ⬇️
linux 82.73% <ø> (-0.02%) ⬇️
mingw-x64-HUGE ?
mingw-x86-HUGE ?
windows ?

Flags with carried forward coverage won't be shown. Click here to find out more.

see 144 files with indirect coverage changes


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687/c1671776892@github.com>

Santos Gallegos

unread,
Aug 9, 2023, 12:51:47 PM8/9/23
to vim/vim, Subscribed

@chrisbra this is my first time using huntr.dev. If you mean the initial report, that's only available to maintainers (or people that have access to huntr.dev), not sure if you have access to that site to see the current reported vulnerabilities. There is also the possibility of using GitHub Advisories instead of huntr.dev, they also handle issuing CVEs, you can privately discuss the issue, create a temporal private repo to fix the vulnerability, involve more people, etc https://docs.github.com/en/code-security/getting-started/github-security-features#security-advisories.


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687/c1671794192@github.com>

Christian Brabandt

unread,
Aug 9, 2023, 12:58:08 PM8/9/23
to vim/vim, Subscribed

yes, I specifically meant how to handle new security issues the first time. So it sounds like it is using responsible disclosure, which makes sense. Can you please mention, that creating issues at huntr.dev won't disclose them to the public then?


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687/c1671806174@github.com>

Santos Gallegos

unread,
Aug 9, 2023, 1:04:09 PM8/9/23
to vim/vim, Push

@stsewd pushed 1 commit.

  • fc0b622 Mention that reports are private


View it on GitHub or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687/push/14619499969@github.com>

Santos Gallegos

unread,
Aug 9, 2023, 1:10:01 PM8/9/23
to vim/vim, Subscribed

Changed the sentence, hopefully it's more explicit now, but let me know of any other changes.


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687/c1671829008@github.com>

Christian Brabandt

unread,
Aug 9, 2023, 2:11:23 PM8/9/23
to vim/vim, Subscribed

thanks, looks good now.


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687/c1671908852@github.com>

Christian Brabandt

unread,
Aug 9, 2023, 2:12:15 PM8/9/23
to vim/vim, Subscribed

Merged #12687 into master.


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687/issue_event/10050748764@github.com>

Santos Gallegos

unread,
Aug 31, 2023, 4:01:47 PM8/31/23
to vim/vim, Subscribed

Hi, any updates on https://huntr.dev/bounties/e1ce0995-4df4-4dec-9cd7-3136ac3e8e71/? (the content is visible to maintainers only)


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687/c1701704397@github.com>

Christian Brabandt

unread,
Aug 31, 2023, 6:02:25 PM8/31/23
to vim/vim, Subscribed

sorry, I did not get a notification for this one. Still trying to get a hang on how to work with huntr properly. Anyhow, https://github.com/vim/vim/releases/tag/v9.0.1833 should fix the issue


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/12687/c1701840355@github.com>

Reply all
Reply to author
Forward
0 new messages