Hi maintainers,
I found a potential denial-of-service vulnerability affecting ttfunk when parsing crafted TrueType/SFNT font data.
I do not want to publish technical details or a proof of concept in a public issue before maintainers have a chance to triage it.
Could you please let me know the preferred private channel for reporting security issues?
Possible options:
- enable GitHub Private Vulnerability Reporting for this repository;
- create a draft GitHub Security Advisory and invite me;
- provide a private security email/contact.
If confirmed, this may be suitable for a GitHub Security Advisory and CVE because it affects applications that parse untrusted font data through ttfunk.
Thanks.
Hi maintainers,
I found a potential denial-of-service vulnerability affecting ttfunk when parsing crafted TrueType/SFNT font data.
I do not want to publish technical details or a proof of concept in a public issue before maintainers have a chance to triage it.
Could you please let me know the preferred private channel for reporting security issues?
Possible options:
If confirmed, this may be suitable for a GitHub Security Advisory and CVE because it affects applications that parse untrusted font data through ttfunk.
Thanks.