I have reported an issue through the form https://moodle.org/mod/page/view.php?id=8722. That was Wednesday 6 July late a'noon GMT. Haven't received an acknowledgement up to now. Do security issue submissions acknowledged?
Oops, Wednesday 6 August, I mean!
Hi Visvanath,
Firstly, great to hear you're using the submission form for the issue you found! You should have received an automated confirmation email from Bugcrowd if you filled in the "Researcher email" field at the bottom of the form (it would be worth checking your spam folder if you haven't already). Having said that, I just checked the queue and I don't see any new submissions between 6 August and now, so perhaps it did not submit? It would be worth trying to submit that again (and making sure you fill in the Researcher email field, just to be sure), and let me know whether you receive a confirmation email from that. I can again check on Monday to be sure it's been received as well. Feel free to put your name/initials/reference this forum post on there to make sure I can identify which one is yours (in case something else comes in as well).
Thanks!
Firstly, great to hear you're using the submission form for the issue you found! You should have received an automated confirmation email from Bugcrowd if you filled in the "Researcher email" field at the bottom of the form (it would be worth checking your spam folder if you haven't already). Having said that, I just checked the queue and I don't see any new submissions between 6 August and now, so perhaps it did not submit? It would be worth trying to submit that again (and making sure you fill in the Researcher email field, just to be sure), and let me know whether you receive a confirmation email from that. I can again check on Monday to be sure it's been received as well. Feel free to put your name/initials/reference this forum post on there to make sure I can identify which one is yours (in case something else comes in as well).
Thanks!
Hi Michael
I didn't know about the researcher e-mail. Resubmitted a new version, I didn't keep a copy, received confirmation from bugcrowd. There was an invitation to join the researcher portal. That is not a must, I believe. I'm no security researcher. This finding is probably known, but still curious how that works. I signed with my e-mail. Please do contact me via direct mail or PM on this site.
I didn't know about the researcher e-mail. Resubmitted a new version, I didn't keep a copy, received confirmation from bugcrowd. There was an invitation to join the researcher portal. That is not a must, I believe. I'm no security researcher. This finding is probably known, but still curious how that works. I signed with my e-mail. Please do contact me via direct mail or PM on this site.
Haven´t heard back, neither from BugCrowd nor Moodle security group. So it must have been a false alarm.
But was real for me. I will try to block a repetition by tightening the network.
But was real for me. I will try to block a repetition by tightening the network.
A repeated attack today morning changes everything. If the Moodle security group is not interested, I will take it to a different community.
The other thing you can try is report an issue in the Moodle Tracker/jira and flag it as a security issue - There's a small group of trusted people monitoring those as well.
I don't know it is the proper site. This log in went halfway through, it send me the check e-mail check code back. But not accepting my account.
No need now, since Michael has established direct communication, thought of documenting here for the next time.
In case you do want to access Tracker for something else, it looks like you've ended up on our Confluence, the "Moodle Tracker" uses Jira (a different Atlassian product). You can log into that here: https://id.atlassian.com/login?application=jira
Oh yes, this time it recognized me, even the browser dug up the password. Landed on a page https://home.atlassian.com/o/xxx-xxx-xxx../?utm_source=identity&cloudId=.... Thanks!
Hi Visvanath, I've just checked in on this. I can see your submission - the Bugcrowd triage team responded to you on 9 August (08:01 UTC), you may need to check your spam folder in case the response didn't make it to your inbox. I will also send you a reply in a few minutes via the same platform to see whether you receive that. If you don't see anything from me via Bugcrowd in the next few hours (and also can't see anything in your spam folder), please let me know and I'll follow up in case there's an issue on the Bugcrowd side of things.
Just a quick follow up on this - I've sent a reply your submission and I have also sent you an email directly, just in case there's a problem with the Bugcrowd platform emails reaching you. Please let me know if you don't receive either of those.
Hi Michael
Searched my mailboxes, I always use the same e-mail for everything moodle.org, no response, neither from BugCrowd nor moodle.org team. I received your direct reply 20 min ago. Will respond to that after going through the evidence again, which could be the weekend.