Reporting Security Issues to Open Source Projects on Github

As a user of open source software there are some things you can do in order to receive a better response from maintainers and to make their workload just a bit more bearable. First and foremost would be properly filling out all the parts of their issue template

Another way you can be a good open source citizen is by properly reporting security issues. I prefer the coordinated disclosure approach. However, any issue you open on Github is by default full public disclosure. In my mind this is a jerk move. This puts tremendous pressure on the maintainer of the open source project to respond quickly. Maybe that is what you want but it won't make you any friends with the maintainers and it will leave all the other users of the software open to the vulnerability.

So how do you privately report an issue to the maintainer? If the project is maintained by a large company I suggested searching the web for "report security issue to <company name>" as the top search result will generally get you the site you need. At least it did for my quick searches for Google, Facebook and Adobe.

If the package is maintained by a single developer or a small group I suggest you email the maintainer first to open a dialog that could lead to a coordinated disclosure but how to find the maintainers email?

  • Check the README file to see if there is contact information.
  • If it is a node project look in the package.json to see if the author lists their email.
  • Clone the project and run `git log` from the CLI as frequently the maintainers email address will show up next to their commit.

Worst case scenario, create an issue asking the maintainer to contact you for details of the issue. If they don't get back to you in a reasonable amount of time then go ahead and create a public issue. Note: a reasonable amount of time to me is a minimum of two weeks. Remember OSS maintainers are people too and sometimes they take vacations or have family issues, just like you.

When you send an email to the maintainer remember to include all the details that the maintainer's issue template. Putting in the work up front to properly report an issue will get you a much better response. At least it does from me and from my experience dealing with other maintainers.