Inquiry regarding vulnerability disclosure

[quasar098]

I originally wanted to disclose a vulnerability, but am lost.

The ./pyproject.toml states modelscan is at version 0.0.0, and the latest release is 0.3.0.

Both of these are not applicable to the security policy, it seems (they are not conforming to 1.X)

Are vulnerabilities to be reported currently, or maybe not?

[chrisking]

Great catch @quasar098 . @seanpmorgan can you take a look at this and update the .toml file?

@quasar098 if you haven't already done so outside of this issue, please checkout https://github.com/protectai/modelscan/blob/main/SECURITY.md and we'll start the triage process on your findings.

[seanpmorgan]

Hi @quasar098 thanks for filing this ticket! Couple of things:

1. I merged a PR that updates our security policy to include 0.x versions. As chris mentioned, please go ahead and submit vulnerabilities as directed in SECURITY.md

2. The library version in pyproject.toml gets overwritten when we publish as a tagged version. This is an easy deployment process for us, but I'm in agreement that it can make it difficult to know the current version by viewing main branch. We're working on a solution to update this in an automated way.

3. We just cut release v0.4.0 today so that is the current version that has been published to pypi.

4. Part of that release included two (one, two) security patches from picklescan. Is this what you had in mind for your disclosure or is it something else?

Thanks again!

[quasar098]

there is that, and more. sending an email regarding it soon

i've done it