In accordance with the disclose.io core terms, essentials define the following:
Any vulnerability in the essentials repository that either results in an unintended loss of funds or results in grievance for potential users are covered under the responsible disclosure program.
Since essentials is a volunteer OSS right now, I am unable to provide any rewards. But if the scope of vulnerability is huge and other packages that use this are affected, I will make sure they reward you according to the scope of the vulnerability.
- Personal Message to "Varunram" on freenode IRC
- Preferably Encrypted Email to [email protected]. Our PGP Key fingerprint is
C98F 0014 9A99 36E4 E56D 2471 708C 6065 04A4 9970
If you do not receive a reply within one day, please do send a reminder so I can act at the earliest.
I believe in a coordinated disclosure program where vulnerability details may be shared with the public after the vulnerability has been fixed and the program owner has provided permission to disclose or after 90 days from submission, whichever is sooner.
I thank anyone who plans to report a vulnerability in advance and hope to work with you on a fix as soon as possible.