I discovered a potential security flaw in this package, and reported it to the Jazzband security mailing address as directed to on this page over a year ago.
My initial email was acknowledged, I was told that my email was forwarded onto the project lead, and then all further contact ceased despite my repeated attempts.
I have also email Bouke directly, who was responsive, but they have stepped away from maintaining this project and cannot help me any further.
I have tried to follow the published guidelines for reporting security flaws and I have gotten nowhere after giving a very diplomatic amount of time to respond. But almost one year of non-contact far exceeds any reasonable responsible disclosure policy.
I am opening this public issue to both warn existing and potential users of a potential flaw, and to seek further guidance on who/how/where to report this.
Unless persuaded otherwise, after one week from today at most, I will publish a fix and tests for the security flaw in the form of a PR, and within 24 hours after that, being a Jazzband member myself, I will merge it into the main branch of this repository. I will then attempt to publish a release to PyPI, with my existing user credentials and permissions (not sure if this will be successful, but I feel it is the responsible thing to do).
I am more than happy to continue this discussion privately with other existing maintainers in an attempt to provide my flaw and fix, and brainstorm instructions for existing django-user-sessions users. But I will not be publicly answering any questions regarding the nature of the flaw.
I discovered a potential security flaw in this package, and reported it to the Jazzband security mailing address as directed to on this page over a year ago.
My initial email was acknowledged, I was told that my email was forwarded onto the project lead, and then all further contact ceased despite my repeated attempts.
I have also email Bouke directly, who was responsive, but they have stepped away from maintaining this project and cannot help me any further.
I have tried to follow the published guidelines for reporting security flaws and I have gotten nowhere after giving a very diplomatic amount of time to respond. But almost one year of non-contact far exceeds any reasonable responsible disclosure policy.
I am opening this public issue to both warn existing and potential users of a potential flaw, and to seek further guidance on who/how/where to report this.
Unless persuaded otherwise, after one week from today at most, I will publish a fix and tests for the security flaw in the form of a PR, and within 24 hours after that, being a Jazzband member myself, I will merge it into the
mainbranch of this repository. I will then attempt to publish a release to PyPI, with my existing user credentials and permissions (not sure if this will be successful, but I feel it is the responsible thing to do).I am more than happy to continue this discussion privately with other existing maintainers in an attempt to provide my flaw and fix, and brainstorm instructions for existing django-user-sessions users. But I will not be publicly answering any questions regarding the nature of the flaw.