GitHub Security Policy feature Echos Vulnerability Reports using unprotected emails #139653
Replies: 1 comment
-
💬 Your Product Feedback Has Been Submitted 🎉 Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users. Here's what you can expect moving forward ⏩
Where to look to see what's shipping 👀
What you can do in the meantime 💻
As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities. Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐ |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Bug
Body
Defect in the implementation of Security Policy feature for private submission of vulernability information.
Although the Security Policies tab provision to privately-report and discuss vulnerabilities/exploits, and there is notification to the repo owner that there is such a message, the texts of the vulnerability report are transmitted to the owner in plain email with revealing subject lines.
That sort of defeats the purpose of providing a private mechanism for discussing and assessing vulnerabilities.
PS: I don't think Code Security Bug is quite the appropriate choice of labels, but I could find nothing better.
Beta Was this translation helpful? Give feedback.
All reactions