Thanks a lot for helping to keep open source secure and useful for many developers!
In case you found a vulnerability, please follow following steps to report any security issue.
- Create an issue on GitHub without any details on the bug itself, use something like Possible vulnerability found, please contact me
Working on the issue we move all following communication to a draft security advisory. This is to hide the vulnerability from public.
- We will create a draft security advisory and invite you as a collaborator.
- Add a comment to the draft security advisory with a detailed description of the vulnerability (include all of the following details in your description)
- Platform used, for example: Microsoft Windows Server 2019 Standard, x64, IIS 8
- Exact command used to build AjaxPro, or if you were taking a release package
- Attach a screen shot of the crash
- Attach a proof-of-concept that shows reproducable the issue
- The source location of the bug and/or any other information that you are able to provide about what the cause of the bug is.
- We will work together with you to reproduce the issue on our side and prepare a fix shortly
The draft security advisory is private until we publish it, so it is a good place to discuss the details of the vulnerability privately.
To qualify as a security issue, the bug must be reproducible on an official release of AjaxPro. Official releases are listed here (https://github.com/michaelschwarz/Ajax.NET-Professional/releases), not including those labeled "pre-release". Bugs that are only reproducible on the main branch or on a pre-release are not security issues and can be reported as regular issues.