Hi,
I have a report vulnerability of MATE Enviroment. I have taken a CVEID from Mitre but I have not published it anywhere. Can I send you the report? Do you publish it? Do I get a bounty?
Thanks
1 Like
Hi, @MarziehHashemi 
(Usual disclaimer: please note that I'm just another Forum user here. I'm NOT an Ubuntu Developer and/or Ubuntu MATE Developer and/or MATE Developer).
You've asked:
That's a good question 
From some web searches that I've done, I've found the following related discussion in an Issue - https://github.com/mate-desktop/mate-desktop/issues/591 - in the "mate-desktop" repository - https://github.com/mate-desktop/mate-desktop/ - in GitHub:
Related to that discussion, I've found the following relevant section of the "Privately reporting a security vulnerability - GitHub Docs" web page - https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability :
"(...)
- You can only report a vulnerability privately for repositories where private vulnerability reporting is enabled, and you don't have to follow the instructions in the
SECURITY.mdfile. This reporting process is fully private, and GitHub notifies the repository administrators directly about your submission.Privately reporting a security vulnerability
If you do not have admin or security permissions for a public repository, you can still privately report a security vulnerability to repository maintainers. You can also evaluate the general security of a public repository and suggest a security policy. For more information, see "Evaluating the security settings of a repository.
1. On GitHub.com, navigate to the main page of the repository.
2. Under the repository name, click Security. If you cannot see the "Security" tab, select the dropdown menu, and then click Security.
3. Click Report a vulnerability to open the advisory form.
4. Fill in the advisory details form.
Tip: In this form, only the title and description are mandatory. (In the general draft security advisory form, which the repository maintainer initiates, specifying the ecosystem is also required.) However, we recommend security researchers provide as much information as possible on the form so that the maintainers can make an informed decision about the submitted report. You can adopt the template used by our security researchers from the GitHub Security Lab, which is available on the
github/securitylabrepository."For more information about the fields available and guidance on filling in the form, see "Creating a repository security advisory" and "Best practices for writing repository security advisories."
5. At the bottom of the form, click Submit report. GitHub will display a message letting you know that maintainers have been notified and that you have a pending credit for this security advisory.
Tip: When the report is submitted, GitHub automatically adds the reporter of the vulnerability as a collaborator and as a credited user on the proposed advisory.
6. Optionally, click Start a temporary private fork if you want to start to fix the issue. Note that only the repository maintainer can merge changes from that private fork into the parent repository.
The next steps depend on the action taken by the repository maintainer. For more information, see "Managing privately reported security vulnerabilities. "
After reading that article, I see that the "mate-desktop" Repository in GitHub at least does have a "Security" page - https://github.com/mate-desktop/mate-desktop/security - with a "Report a vulnerability" (green) button. SCREENSHOT:
I hope this helps
2 Likes