Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
"How to disclose a security vulnerability" Reading List

"How to disclose a security vulnerability" Reading List

I gave this talk at Codemash 2017, and here are all the resources I mentioned during the talk!

Todo List

  1. Make a keypair - instructions at PGP and You

  2. Share it via Keybase or a key server so people can verify it belongs to you

  3. Send encrypted emails to a friend for practice. Once you have gpg2 installed:

     $ gpg2 ——import recipients-public-key.asc
     
     # write the body of your email in message.txt
     # e = encrypt, a = ascii, r = recipient
     $ gpg2 -ea -r Recipient message.txt
     
     $ pbcopy < message.txt.asc
     # paste into an email and send!
     
     # Copy reply encrypted with your public key 
     # from your email into reply.txt.asc
     $ pbpaste > reply.txt.asc
     
     # d = decrypt
     $ gpg2 -d reply.txt.asc
     
     # enter your password and receive plain text!
    
  4. Add contact info + public key to your open source projects for people to report vulnerabilities

  5. At work, add a /security contact page

Secure communications

Security vulnerability I found

Books and articles

Case studies

GitHub/Rails Mass Assignment - Mar 2012

Rubygems YAML - Jan 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.