Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a Security Policy #165

Open
eslerm opened this issue Feb 8, 2024 · 1 comment
Open

Create a Security Policy #165

eslerm opened this issue Feb 8, 2024 · 1 comment

Comments

@eslerm
Copy link

eslerm commented Feb 8, 2024

fdk-aac lacks a SECURITY.md

If a vulnerability is found in fdk-aac, a researcher will not know how to privately raise the issue with your developers. The only places I could find to report is on this public issue tracker or on public mailing lists.

By defining a Security Policy, fdk-aac can set clear expectations to reporters who want to keep fdk-aac and users safe.

Here's GitHub Security's policy as an example. Another option is to use GitHub's private vulnerability reporting feature.
@eslerm
Copy link
Author

eslerm commented Mar 14, 2024
edited
Loading

Since fdk-aac syncs from https://android.googlesource.com/platform/external/aac (or https://sourceforge.net/projects/opencore-amr/ ?) it might be most appropriate if the SECURITY.md points to where to report issues upstream.

#167 was reported by @jslarraz to Android VRP. Android requested a PoC and directed him to https://bughunters.google.com/learn/invalid-reports/android-platform/5148417640366080/bugs-with-negligible-security-impact#unreachable-bugs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eslerm