-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to get in touch regarding a security concern #9232
Comments
Hi, think I found an issue (might be the same as the potential issue above, or a different one). So can we move forward with this? The alternative is just adding an issue with a tag |
Is it the use of pickle? |
No. |
then maintainers would get notifications and it's private. codeql does not show any security warnings, except jinja doc build which is build and not user code. |
the "privately-reporting-a-security-vulnerability" flow doesn't seem to work. |
Just go ahead and post it. |
or send a private email to me and bashtage |
we have not enabled it yet. In general, statsmodels is intended for interactive use or automated use. In statsmodels itself, I think we are not doing anything that can cause security concerns. |
Hello 馃憢
I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@tvnnn) has found a potential issue, which I would be eager to share with you.
Could you add a
SECURITY.md
file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.Looking forward to hearing from you 馃憤
(cc @huntr-helper)
The text was updated successfully, but these errors were encountered: