Create SECURITY.md

[pboling]

I'm not sure what should go in this file, and that is precisely the problem.

@BobbyMcWho @suprnova32 who is the current maintainer? Need guidance on disclosing a security vulnerability.

[BobbyMcWho]

@pboling I don't think there's anyone that actively claims it. I have merge rights over pretty much everything in omniauth, but I don't have rubygems access to the gem. https://rubygems.org/gems/omniauth-saml

I don't particularly want to add another ruby responsibility as I'm mostly in Elixir land these days, though an occasional review/merge is okay, I'm not sure who should own a vulnerability report.

[suprnova32]

There hasn't been a new version of this gem in over 2 years. The only supported version is the latest one. If there are security vulnerabilities related to the code within this gem, creating an issue here to let the maintainers know you have found a vulnerability and how to best contact you is the way to go. We can then take action from there, specially if the vulnerability is dangerous and cannot be discussed in public.

If the vulnerability is related to libraries this gem depends on, the report should be made on those projects. Once they have been updated, we can update this gem to include the newest versions.

[pboling]

It is a vulnerability in a dependency of this gem, which has not yet been disclosed, but which will affect users of this gem, and which will require upgrades. The discloser is attempting to discuss it with maintainers of this gem, which is how I got looped in, as an adjacent omniauth-* plugin maintainer, but I cannot find your email address, @suprnova32. I can loop you into the email chain if you would like to email me. I can't find your email listed anywhere online (https://patriciocano.me/ is down). You can find my email address on my Github profile, or at https://peterboling.com/contact

Separately, this project needs a documented security policy.

The only supported version is the latest one. If there are security vulnerabilities related to the code within this gem, creating an issue here to let the maintainers know you have found a vulnerability and how to best contact you is the way to go. We can then take action from there, specially if the vulnerability is dangerous and cannot be discussed in public.

If the vulnerability is related to libraries this gem depends on, the report should be made on those projects. Once they have been updated, we can update this gem to include the newest versions.

Perhaps we can just slot that into the README?

[pboling]

FYI: The vulnerability will be disclosed tomorrow.

Perhaps there should be additional maintainers who are more accessible to security researchers? I volunteer if that is desirable.

[bufferoverflow]

I think we should rather enable the built-in functionality:

I can also publish this gem, but as we do not have a lot of activity there was no need to publish a new version.

I have enabled Private vulnerability reporting now.

[bufferoverflow]

@pboling Could you please rebase and then we can merge this.

btw. new release is published https://rubygems.org/gems/omniauth-saml

[pboling]

@bufferoverflow done!