top | item 46593380

(no title)

thdxr | 1 month ago

the email they found was from a different repo and not monitored. this is ultimately our fault for not having a proper SECURITY.md on our main repository

the issue that was reported was fixed as soon as we heard about it - going through the process of learning about the CVE process, etc now and setting everything up correctly. we get 100s of issues reported to us daily across various mediums and we're figuring out how to manage this

i can't really say much beyond this is my own inexperience showing

discuss

varenc|1 month ago

Also consider putting a security.txt[0] file on your main domain, like here: https://opencode.ai/.well-known/security.txt

I also just want to sympathize with the difficulty of spotting the real reports from the noise. For a time I helped manage a bug bounty program, and 95% of issues were long reports with plausible titles that ended up saying something like "if an attacker can access the user's device, they can access the user's device". Finding the genuine ones requires a lot of time and constant effort. Though you get a feel for it with experience.

[0] https://en.wikipedia.org/wiki/Security.txt

edit: I agree with the original report that the CORS fix, while a huge improvement, is not sufficient since it doesn't protect from things like malicious code running locally or on the network.

edit2: Looks like you've already rolled out a password! Kudos.

rando77|1 month ago

I've been thinking about using LLMs to help triage security vulnerabilities.

If done in an auditably unlogged environment (with a limited output to the company, just saying escalate) it might also encourage people to share vulns they are worried about putting online.

Does that make sense from your experience?

[1] https://github.com/eb4890/echoresponse/blob/main/design.md

KolenCh|1 month ago

I learnt this the hard way: if anyone is sending multiple emails, with seemingly very important titles and messages, and they get no reply at all, the receiver likely haven’t received your email rather than completely ghosting you. Everyone should know this, and at least try a different channel of communication before further actions, especially from those disclosing vulnerability.

Imustaskforhelp|1 month ago

Thanks for providing additional context. I appreciate the fact that you are admitting fault where it is and that's okay because its human to make errors and I have full faith from your response that OpenCode will learn from its errors.

I might try OpenCode now once its get patched or after seeing the community for a while. Wishing the best of luck for a more secure future of opencode!

BoredPositron|1 month ago

Fixed? You just change it to be off by default giving the security burden to your users. It's not fixed it's buried with minimal mitigation and you give no indication to your users that it will make your machine vulnerable if activated. Shady.

naowal|1 month ago

Actually as of v1.1.15 it is fixed: https://github.com/anomalyco/opencode/releases/tag/v1.1.15

euazOn|1 month ago

I am also baffled at how long this vulnerability was left open, but I’m glad you’re at least making changes to hopefully avoid such mistakes in the future.

Just a thought, have you tried any way to triage these reported issues via LLMs, or constantly running an LLM to check the codebase for gaping security holes? Would that be in any way useful?

Anyway, thanks for your work on opencode and good luck.