Uploaded image for project: 'Blazegraph (by SYSTAP)'
  1. Blazegraph (by SYSTAP)
  2. BLZG-9163

Security contact is unresponsive

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Other
    • Labels:
      None

      Description

      The Security.md document (current version) instructs users to email security@blazegraph.com to report a security issue, and promises an acknowledgment within 24 hours. (The PGP key on that page is actually valid for blazegraph@blazegraph.com rather than security@blazegraph.com, which is a bit confusing, but it's possible to encrypt for another addressee than the email recipient, and/or send the message to blazegraph@blazegraph.com as well, so that's not a huge problem.)

      I have sent emails about a security vulnerability I discovered to security@blazegraph.com on March 27nd and April 9th, and to blazegraph@blazegraph.com on May 31st, but have yet to receive as much as an acknowledgement for any of these emails, let alone any further kind of response. Clearly, the claim in Security.md that "[a]ll security reports are acknowledged within 24 hours" is not true (most likely outdated - it was introduced about three years ago, see BLZG-2053), so I think that the document should be updated to either explain the current best practice security reporting instructions for Blazegraph, if those exist, or else at least describe the status quo more accurately - which seems to be that there is a PGP key that you can use to encrypt sensitive information, and you may as well try to email security@blazegraph.com or blazegraph@blazegraph.com, but you don't exactly need to hold your breath for a response.

        Attachments

          Activity

            People

            Assignee:
            beebs Brad Bebee
            Reporter:
            lucaswerkmeister Lucas Werkmeister
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: