Potential security issue

[JamieSlome]

Hey there!

I belong to an open source security research community, and a member (@oivrip) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

[justusschock]

Hi @JamieSlome , as you see @Borda already started to put together such a document. We are internally discussing which mail address to put there. For now the easiest way would probably be to talk to @tchaton @Borda , me or anybody else from our team (@PyTorchLightning/core-contributors ) on our slack directly.

[JamieSlome]

@justusschock - thanks for the swift response! ⚡

Our system will automatically send further details to the elected e-mail in your SECURITY.md, however, if you want to view the private report, you can view it here:

https://huntr.dev/bounties/31832f0c-e5bb-4552-a12c-542f81f111e6/

Only maintainers with write access will have permission to view the contents!

[carmocca]

Thank you @JamieSlome, I've validated the report. As the fix should be simple, feel free to open a PR with it.