Skip to content

Security contact for private vulnerability report? #121

Description

@ivaldivieso

Hi maintainers,

I found a potential denial-of-service vulnerability affecting ttfunk when parsing crafted TrueType/SFNT font data.

I do not want to publish technical details or a proof of concept in a public issue before maintainers have a chance to triage it.

Could you please let me know the preferred private channel for reporting security issues?

Possible options:

  • enable GitHub Private Vulnerability Reporting for this repository;
  • create a draft GitHub Security Advisory and invite me;
  • provide a private security email/contact.

If confirmed, this may be suitable for a GitHub Security Advisory and CVE because it affects applications that parse untrusted font data through ttfunk.

Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions