Rebar3 is a build tool that by design allows arbitrary code execution from downloaded components. Scripts can be executed in all kinds of areas of a regular project workflow including (but not limited to): scripts to modify configuration files, "parse transforms" (macros), plugins, provider and shell hooks, and so on.
Users of rebar3 should be aware of the nature of its model, and issues related to these parts of its design will not be considered to be security issues nor vulnerabilities.
All security issues should be reported to one or more of the current maintainers:
E-Mail addresses are available in github profiles, and PGP public keys in keybase profiles.
If you have not received a reply to your query within 48 hours, or have not heard from one of the maintainers for the past five days, there are a few steps you can take:
- One of the authenticated channels in the maintainers keybase profiles
- Open a github issue directly
- Ask on #rebar3 on the official Erlang slack team
- Ask on #rebar on IRC on freenode
- Ask on the rebar mailing list
Please note that the github issues, mailing list, and chat channels are public areas. When escalating in these venues, please do not discuss details of your issue. Simply say that you’re trying to get a hold of someone from the maintainer team.
We're a small project of volunteers working in whatever free time they have, with limited mechanisms to reach developers from other communication channels.
Disclosure will be fairly ad-hoc and made to reach as many people as possible.
Nevertheless, the expected steps are:
- The issue is received and discussed privately by the maintainers
- A fix is prepared and reviewed between maintainers
- When ready, the fix will be committed to the repository and a release will be cut
- An announcement will be made about the new release on the public channels associated to the project
The best way to know about security updates is to subscribe to any of the communication channels of the project.
If you have any suggestions to improve this policy, please contact the maintainers or open a github issue.
Updated about a month ago