Sandbox breakout #363
Comments
|
Sorry, I can't create advisories. Could you test if the newest version still has the breakout? |
|
Hey XmiliaH, we confirm that the two breakouts we found are fixed in the last release published two days ago: the dynamic import one and the custom stack trace one. If you do not issue advisories for this project, how do you plan to acknowledge the effort we put into finding these vulnerabilities? We will not proceed to disclose the remaining one(s) until we hear a clear statement from your side about this. |
|
It seems that I do not have the permissions to create security advisories for this project. I suspect only @patriksimek is able to create them. If there are other ways to create advisories you can let me know. |
|
I see, sorry for the misunderstanding, then. There was some miscommunication between us, the Snyk team, and you guys (we were not aware of this ticket: #366). Multi-party vulnerability disclosure is quite complex. ;) For easier communication, we can also continue this conversation over email (https://cispa.de/de/people/c01crst), and you can close this issue. |
Hi,
I would like to report a sandbox breakout, but I believe this should be done in a responsible, private way. Please create a security policy and an advisory, as instructed here: #338
The text was updated successfully, but these errors were encountered: