How to get in touch regarding a security concern

[psmoros]

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@tvnnn) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

[toolslive]

Hi, think I found an issue (might be the same as the potential issue above, or a different one). So can we move forward with this?

The alternative is just adding an issue with a tag security but I would like to give you a head start.

[bashtage]

Is it the use of pickle?

[toolslive]

No.

[josef-pkt]

Should we activate
https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability

then maintainers would get notifications and it's private.

codeql does not show any security warnings, except jinja doc build which is build and not user code.
https://github.com/statsmodels/statsmodels/security/code-scanning

[toolslive]

the "privately-reporting-a-security-vulnerability" flow doesn't seem to work.
Alternatively I could just post a proof of concept exploit here. The maintainers had ample opportunity to react.

[bashtage]

Just go ahead and post it.

[josef-pkt]

or send a private email to me and bashtage

[josef-pkt]

the "privately-reporting-a-security-vulnerability" flow doesn't seem to work.

we have not enabled it yet.
My question was whether we need or should enable it.

In general, statsmodels is intended for interactive use or automated use.
E.g. formula handling by patsy and formulaic use eval. It's the responsibility of the caller not to do anything unsafe.

In statsmodels itself, I think we are not doing anything that can cause security concerns.