Re: [Cryptography-dev] Report a potential risk of secret leakage in project(cryptography_vectors)

Tue, 13 Aug 2024 04:35:24 -0700 

Hi,

This package intentionally contains cryptographic test vectors, none
of these credentials are intended to be secret.

Alex

On Tue, Aug 13, 2024 at 7:33 AM <jiawei_z...@seu.edu.cn> wrote:
>
>
> Dear developers of the project(cryptography_vectors),
>
> We are software security researchers, currently conducting research on secret 
> detection and leakage risk within the open-source ecosystem.
>
> In our analysis, we identified potential secret leakage risks in your 
> project, cryptography_vectors.
>
> We provide the detail of our findings in the attachment, which allows you to 
> locate the potential leaked secrets. Below is an interpretation of the 
> attached data:
>
> {   'file': '',                 #The file containing the secret
>                                             #The project name, version or 
> commit_hash may be reflected in the file path
>     'line_start': 1,    #location: Start line of the secret
>     'line_end': 28,             #location: End line of the secret
>     'col_start': 1,             #location: Start column of the secret
>     'col_end': 1,               #location: End column of the secret
>     'index_start': 0,   #location: Start index of the secret
>     'index_end': 1675,  #location: End index of the secret
> }
>
>
> Declaration: we hereby declare that we have *NOT* conducted any verification 
> test or exploit on the identified secrets. we plan to publish related 
> research papers in the future, and the relevant content MIGHT BE ACCESS TO 
> THE PUBLIC due to the 90-day disclosure policy.
>
> Some advise:
>
> 1. If the leaked secret is sensitive and still valid, invalid and rotate the 
> secret immediately.
> 2. Some secrets seem to be used only in testing environment. Although 
> probably harmless, it is considered bad practices to include secrets for test 
> environment in release builds.
>
> Best regards,
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev@python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev



-- 
All that is necessary for evil to succeed is for good people to do nothing.
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

Reply via email to