About the Platform category

Questions, bugs, and feedback on product workflows, dashboard, integrations, documentation, and CLI.

This category is used for discussion around suggestions/bugs/feedback in the platform, including – VCS integrations, dashboard, CLI, workflows, documentation, feature requests, etc.

Hey,

As suggested earlier. I would like to update you guys again regarding the published bugs, security issues and features that DeepSource provides to users. Due to this all the data is published or listed on google and attacker or hacker can take leverage through this in perfoming attacks as they would be aware about the Bugs and Security Flaws. I know that source code of the users are already published on GitHub but providing flaws of them is like a heaven to Hackers. So, I would like to request you to do some changes like

  1. Request google to unlist all the user related data.
  2. This data posibbly be published publically due to an associated feature on your platform which is Repository Badge.
  3. You can also introduce an additional feature which can restrict user data to be published on google.

Regards,
Vishvender
Security Barn

Thanks for bringing this up. I don’t think DeepSource falls in the security vulnerability category that you mention.

Reasons:

  1. Only public repo stats are visible publicly. These are open-source repos whose code is already available on GitHub/GitLab/Bitbucket. In that sense, DeepSource has the same security implications as GitHub Issues.
  2. Private repo stats are only accessible to the account owners, and members of their team if it is a team account.

Happy to discuss this further.

Also, in my limited understanding of infosec, hiding search results from search engines is not going to help any good enough malicious actor to try and break into our system. Security by obscurity is not a good implementation as in it does not solve any real security issue.

These issues have more value in helping people learn. That is why DeepSource adds descriptions to each issue. The idea is, as people learn more and understand the root causes, they will write better software.

We’re all hackers here. So, we do respect and understand the hacker mentality.

It may be that I’m missing a key point here. I’m all ears if you have any other suggestion to address this phenomenon.

Also, I’m curious whether you have let GitHub know about the same vulnerability too. I see a lot search result entry for otherwise critical bugs in projects used by millions.