-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarifications on security vulnerability process #319
Comments
I may need help with clearing out few more criteria for libmaxminddb in the list. Mainly below ones:
Please let me know if I should create separate issue per each criteria |
Hi! Thanks for contacting us about this:
We do not currently have a separate security reporting process. Security issues are currently reported here or via support@maxmind.com.
Yes, our tests run in CI.
I don't have the current coverage percentage, but they were high in the past and I believe them to still be high.
As you can see from the workflows I linked to, we currently run the tests with Clang's AddressSanitizer enabled. We also run Clang's static analysis and GitHub's CodeQL against the code. We also run afl-fuzz on the code, in particular when making more significant changes.
We do not currently have a process for notifying third parties. Most reported security issues are fixed as soon as possible. See, e.g., 1, 2, 3
There are many projects that either use
There are many hundreds of more, particularly once you count indirect reverse dependencies via things like |
Thanks for detailed response @oschwald |
It appears your questions have been answered. I am going to close out this issue. Please let me know if you have any follow-up questions. |
Hi, is there is a security vulnerability reporting process for this project? Are vulnerabilities reported privately or in public?
Some context: Envoyproxy is considering to add Maxmind based geolocation filter as core dependency, and for that libmaxminddb needs to be evaluated against a list of criteria. Existence of security vulnerability process is one of such criteria.
The text was updated successfully, but these errors were encountered: