-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to report a security issue? #1466
Comments
Please try out, if that security issue still exists in https://github.com/FreeOpcUa/opcua-asyncio as well. @oroulet if this is still the case then, what would be the prefered way then? Just opening an issue or dealing with it in another way? |
As both libraries share the same codebase they are both vulnerable. I will try asking in opcua-asyncio too |
Just open a bug request and use the word security. That will work. Also when I started that project my goal was to be able to connect to the PLC around from python. Just being able to connect was a huge sucess and security was really not my concern (It is still not since 99% of the time I work on closed systems ONE pc, ONE plc with one cable) and I am sure python-opcua is full of security issues. Just a simple code review would point out many issues, up until a few weeeks ago, you could send queries to our server, without even opening the secure channel.... When this is said, if someone has the time and interest to look at code and document the main issues it would be great. Even better propose fixes and implement them ;-) |
@oroulet thanks for replying! I prefer not to disclose the vulnerability in public via an open issue. Any chance we could privately send it via email? |
I am not really sure what to do. We are not a private organization. If the issue is disclosed in public there is much more chance that someone is interested and fixes than if you send it to me or a few others that may not have time to look at it. Also if someone want to find an security issues in opcua.asyncio, he probably ust need to look at code a few minutes.... |
@oroulet I really prefer disclosing the vulnerabilities to you privately, and then if you believe they should be opened to the public - that's fine with me. Some of the vuln we found affect the cpp implementation while others the python implementations. |
We would like to responsibly report on a vulnerability we found in python opcua. Where should we send our detailed report?
Additionally I would like to suggest adding a security policy to the repository to help other security researchers reach out to you properly.
Thanks!
Team82 Claroty Research
https://claroty.com/team82/
The text was updated successfully, but these errors were encountered: