Any Update on Reported Vulnerability

Ben Cooksley bcooksley at kde.org
Sat Mar 27 19:51:25 GMT 2021 

On Sun, Mar 28, 2021 at 6:53 AM M.Arslan Kabeer <arslan.whitehat at inbox.eu>
wrote:

> Oh yeah sorry :), can report further vulnerabilities ?


Hi there,

Yes, further issues you have identified can be reported.

Please note however that most automated tools usually identify items that
are generally not an issue, including:
- The existence of publicly accessible Jenkins instances
- The accessibility of underlying Git repositories (as all the software we
run is open source and hosted publicly somewhere)
- The accessibility of build system artifacts such as composer.json and
Gemfile.lock (which are contained in the above mentioned repositories)
- The accessibility of environment files (.env) which are also public in
the case of https://apps.kde.org/.env (also contained in one of those same
repositories)

Regards,
Ben Cooksley
KDE Sysadmin


> ----- Reply to message -----
> *Subject: *Re: Any Update on Reported Vulnerability
> *Date: *Fri, 26 Mar 2021, 21:05
> *From: * Carl Schwan <carl at carlschwan.eu> <carl at carlschwan.eu>
> *To: * kde-www <kde-www at kde.org> <kde-www at kde.org>
>
> Le vendredi, mars 26, 2021 7:58 PM, Nicolás Alvarez <
> nicolas.alvarez at gmail.com> a écrit :
>
> > El vie, 26 de mar. de 2021 a la(s) 06:00, arslan.whitehat at inbox.eu
> escribió:
> >
> > > Hi there,
> > > Team any update on the vulnerability report,I have reported a DMARC
> vulnerability on 2021-03-18, and its been a while kindly update me about
> the vulnerability progress.
> > > I am also attaching the POC images again.
> > > I am hoping to receive a reward for the responsible disclosure of the
> vulnerability
> >
> > We already replied about DMARC (this isn't a vulnerability and we
> > don't have a bounty program), and you already acknowledged the reply
> > in 2021-03-19.
>
> It's probably difficult to keep track of who replied with what, when
> probably
> sending these messages to anyone with missing DMARC config in a
> semi-automated
> way. :)
>
> Carl
> >
> >
> --------------------------------------------------------------------------------------------------------------------------------------------------------
> >
> > Nicolás
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-www/attachments/20210328/118d780f/attachment.htm>

More information about the kde-www mailing list