Trying to get in touch regarding a security issue

[zidingz]

Hi there,

I couldn't find a SECURITY.md in your repository and am not sure how to best contact you privately to disclose a security issue.

Can you add a SECURITY.md file with an e-mail to your repository, so that our system can send you the vulnerability details? GitHub suggests that a security policy is the best way to make sure security issues are responsibly disclosed.

Once you've done that, you should receive an e-mail within the next hour with more info.

Thanks! (cc @huntr-helper)

[jonesde]

When you say we "should receive an e-mail within the next hour", who would that be coming from (or from which system)?

This repository (PopCommerce) is an odd one for reporting security vulnerabilities as there isn't much code in it. Most security vulnerabilities are in the moqui-framework and moqui-runtime repositories, rather than application 'shell' components like this one which just reuses screens from the SimpleScreens repository.

There has been some information about this for a long time, but I added some security specific sections in the online docs and a SECURITY.md file to the moqui-framework repository (the primary repo that is always required). Please see:

https://moqui.org/m/docs/moqui/Issue+and+Pull+Request+Guide#security-issues

https://github.com/moqui/moqui-framework/blob/master/SECURITY.md

[zidingz]

The email(s) will come from ********* and will provide a magic link (no sign-up required) to access the advisory page for a potential security issue on PopCommerce, reported by open source security researchers to huntr.dev.

I've found a contact email from moqui's security policy, and will send the emails over. Let me know if you've further questions; happy to help you understand our system better!