Details

    • Type: Bug
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Other
    • Labels:
      None

      Description

      The Security.md document (current version) instructs users to email security@blazegraph.com to report a security issue, and promises an acknowledgment within 24 hours. (The PGP key on that page is actually valid for blazegraph@blazegraph.com rather than security@blazegraph.com, which is a bit confusing, but it's possible to encrypt for another addressee than the email recipient, and/or send the message to blazegraph@blazegraph.com as well, so that's not a huge problem.)

      I have sent emails about a security vulnerability I discovered to security@blazegraph.com on March 27nd and April 9th, and to blazegraph@blazegraph.com on May 31st, but have yet to receive as much as an acknowledgement for any of these emails, let alone any further kind of response. Clearly, the claim in Security.md that "[a]ll security reports are acknowledged within 24 hours" is not true (most likely outdated - it was introduced about three years ago, see BLZG-2053), so I think that the document should be updated to either explain the current best practice security reporting instructions for Blazegraph, if those exist, or else at least describe the status quo more accurately - which seems to be that there is a PGP key that you can use to encrypt sensitive information, and you may as well try to email security@blazegraph.com or blazegraph@blazegraph.com, but you don't exactly need to hold your breath for a response.

        Activity

        Hide
        lucaswerkmeister Lucas Werkmeister added a comment -

        I’ve reported the security issue in question on GitHub now, along with a fix: see #144 and #145.

        Show
        lucaswerkmeister Lucas Werkmeister added a comment - I’ve reported the security issue in question on GitHub now, along with a fix: see #144 and #145 .

          People

          • Assignee:
            beebs Brad Bebee
            Reporter:
            lucaswerkmeister Lucas Werkmeister
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: