Report a Security Bug
The act of revealing a vulnerability in any code that I have written is a personal choice; as is the manner in which you go about it. If you already have a process you feel comfortable with (full vs coordinated disclosure), go with that. If you are new to disclosing vulnerabilities, please read on.
In my opinion, if you find a security bug in any of the software or services I develop, these bugs should be released via Full Disclosure.
Some ways to fully disclose a security vulnerability:
- If the project has a GitHub repository (most likely), open an issue in the issue tracker
- Send an email to [email protected] — especially if you have exploit code on-hand (feel free to Cc me too if you're worried that I'll miss the FD post)
- Post it on PasteBin/TwitLonger/etc. and tweet the link to a bunch of people (including @voodooKobra please)
- Write a blog post and tweet/email me the link
I promise to never pursue the prosecution of anyone for exploiting any of my systems in order to verify the exploitability of a security bug, because the Computer Fraud and Abuse Act is horse-shit that no sane person would enforce.
The above promise does not extend to the users of my systems or any of their sensitive information; only to the systems I control, the software I write, and myself.
If you really insist on not practicing full disclosure, I suppose you could just email it to me. Though if you do, I'm just going to publish it as soon as I resolve it.
Contact Paragon Initiative Enterprises and request Scott be assigned to your project.