Hi the saltyorg team,
I'm an independent security researcher (GitHub: @CyberKareem) with a private vulnerability report ready for this repository — live-validated end-to-end against the current default branch.
Your security policy / SECURITY.md points to GitHub Security Advisories (GHSA) as the disclosure channel, but the Private Vulnerability Reporting (PVR) feature is not currently enabled on this repo. The GHSA private-report API at POST /repos/saltyorg/docs/security-advisories/reports returns HTTP 403 "Repository does not have private vulnerability reporting enabled", so I cannot file the draft advisory through the proper channel.
To enable PVR (~30 seconds, admin/maintainer only):
- Open: https://github.com/saltyorg/docs/settings/security_analysis
- Scroll to Private vulnerability reporting
- Click Enable
Once enabled, I'll submit the draft advisory within the hour. Only you (and collaborators with appropriate repo access) will see it — there is no public visibility until you publish or 90 days elapse, whichever you prefer.
To help triage priority:
- Severity (self-assessed): Critical
- Status: live-validated end-to-end
- No public disclosure to date — this is the only outreach
- Disclosure preference: 90-day coordinated disclosure (GHSA default), flexible on your timeline
Happy to share any additional context that helps you triage. Please reply here or flip the PVR toggle and I'll file the report immediately. I'm not naming the bug class publicly to preserve responsible disclosure norms; that detail goes in the private advisory once PVR is enabled.
Thanks for shipping this project publicly with a security policy.
— Abdullah Kareem ("cyberkareem")
GitHub: https://github.com/CyberKareem
Web: https://linktr.ee/cyberkareem
Hi the saltyorg team,
I'm an independent security researcher (GitHub: @CyberKareem) with a private vulnerability report ready for this repository — live-validated end-to-end against the current default branch.
Your security policy / SECURITY.md points to GitHub Security Advisories (GHSA) as the disclosure channel, but the Private Vulnerability Reporting (PVR) feature is not currently enabled on this repo. The GHSA private-report API at
POST /repos/saltyorg/docs/security-advisories/reportsreturns HTTP 403 "Repository does not have private vulnerability reporting enabled", so I cannot file the draft advisory through the proper channel.To enable PVR (~30 seconds, admin/maintainer only):
Once enabled, I'll submit the draft advisory within the hour. Only you (and collaborators with appropriate repo access) will see it — there is no public visibility until you publish or 90 days elapse, whichever you prefer.
To help triage priority:
Happy to share any additional context that helps you triage. Please reply here or flip the PVR toggle and I'll file the report immediately. I'm not naming the bug class publicly to preserve responsible disclosure norms; that detail goes in the private advisory once PVR is enabled.
Thanks for shipping this project publicly with a security policy.
— Abdullah Kareem ("cyberkareem")
GitHub: https://github.com/CyberKareem
Web: https://linktr.ee/cyberkareem