About the Platform category

Questions, bugs, and feedback on product workflows, dashboard, integrations, documentation, and CLI.

This category is used for discussion around suggestions/bugs/feedback in the platform, including – VCS integrations, dashboard, CLI, workflows, documentation, feature requests, etc.

1 Like

Hey,

As suggested earlier. I would like to update you guys again regarding the published bugs, security issues and features that DeepSource provides to users. Due to this all the data is published or listed on google and attacker or hacker can take leverage through this in perfoming attacks as they would be aware about the Bugs and Security Flaws. I know that source code of the users are already published on GitHub but providing flaws of them is like a heaven to Hackers. So, I would like to request you to do some changes like

  1. Request google to unlist all the user related data.
  2. This data posibbly be published publically due to an associated feature on your platform which is Repository Badge.
  3. You can also introduce an additional feature which can restrict user data to be published on google.

Regards,
Vishvender
Security Barn

Thanks for bringing this up. I don’t think DeepSource falls in the security vulnerability category that you mention.

Reasons:

  1. Only public repo stats are visible publicly. These are open-source repos whose code is already available on GitHub/GitLab/Bitbucket. In that sense, DeepSource has the same security implications as GitHub Issues.
  2. Private repo stats are only accessible to the account owners, and members of their team if it is a team account.

Happy to discuss this further.

Also, in my limited understanding of infosec, hiding search results from search engines is not going to help any good enough malicious actor to try and break into our system. Security by obscurity is not a good implementation as in it does not solve any real security issue.

These issues have more value in helping people learn. That is why DeepSource adds descriptions to each issue. The idea is, as people learn more and understand the root causes, they will write better software.

We’re all hackers here. So, we do respect and understand the hacker mentality.

It may be that I’m missing a key point here. I’m all ears if you have any other suggestion to address this phenomenon.

Also, I’m curious whether you have let GitHub know about the same vulnerability too. I see a lot search result entry for otherwise critical bugs in projects used by millions.

Hey,

I understand obscurity is not a good policy implementation but you must understand the difference between giving bugs into the hands of Hackers and let them search about it. Recently, you must have heard about the published phone numbers of people using whatsapp even they didn’t consider this as Bug but later google removed those numbers from their listing. I hope you understand we should not look into security whenever a breach happens but we should always take precaution so that we can be safe enough.

I know you guys want good and helping things out of your product in terms of learning and even I respect that but you don’t know the person on the learning end. This is like running a government you can’t disclose everything in front of the public even if it is democracy where every one should and have right to know everything.

Rest it is upto to you. I have recommended what measures you guys can take.

Would be happy if you take some measures. Thanks!!

Regards,
Vishvender
SecurityBarn