Security concern

[psmoros]

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@prprhyt) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

[alltheseas]

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@prprhyt) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

Thank you: can you kindly send to [email protected]

[prprhyt]

[email protected] is an open mailing list. So I think given the confidential thing of the information, a more private contact would be preferable.

By the way, I have been chatting with @jb55 a bit in advance at [email protected].

@jb55
Could you please check this?
What do you think?
I respect your decision.

[alltheseas]

Email Will directly at the email you mentioned in that case

[jb55]

you can message me at: SimpleX: https://simplex.chat/contact#/?v=1-2&smp=smp%3A%2F%2FSkIkI6EPd2D63F4xFKfHk7I1UGZVNn6k1QWZ5rcyr6w%3D%40smp9.simplex.im%2F-CDV36suiOZvfNAYO8KyrS-Mm11gqLPk%23%2F%3Fv%3D1-2%26dh%3DMCowBQYDK2VuAyEAi5qRpBri-RQb6Fupyq0G_c-dLxXUxCvKZxYPVlfEoQo%253D%26srv%3Djssqzccmrcws6bhmn77vgmhfjmhwlyr3u7puw4erkyoosywgl67slqqd.onion Email: ***@***.***

[prprhyt]

@psmoros

Could you check the new SECURITY.md and contact @jb55 using his email address, if you have never contacted him yet?

[jb55]

The upcoming nostrdb changes fixes all this because the ingress thread will handle verification on all events before insertion into the database, similar to how strfry does it.

[alltheseas]

Does this mean with db update all incoming events are automagically validated?

[jb55]

Thats the plan

[alltheseas]

@jb55 is this resolved?

[jb55]

On Mon, Sep 25, 2023 at 12:50:59PM -0700, alltheseas wrote: @jb55 is this resolved?

it will be when we switch to nostrdb for our note cache (soon), but not yet.

[alltheseas]

On Mon, Sep 25, 2023 at 12:50:59PM -0700, alltheseas wrote: @jb55 is this resolved?
it will be when we switch to nostrdb for our note cache (soon), but not yet.

Do you want to commit to this for the sprint first half of October?

[jb55]

On Tue, Sep 26, 2023 at 06:35:34AM -0700, alltheseas wrote: > On Mon, Sep 25, 2023 at 12:50:59PM -0700, alltheseas wrote: @jb55 is this resolved? > it will be when we switch to nostrdb for our note cache (soon), but not yet. Do you want to commit to this for the sprint first half of October?

It's a pretty crazy month for me (pacific, amsterdam, bali, tokyo), so probably not. Will be back at it after nostrasia.