Create SECURITY.md

[JamieSlome]

Hey there!

I belong to an open source security research community, and a member (@bananabr) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

[crookedneighbor]

Thanks @JamieSlome, sorry for the delay. We think it's a great idea to include that file, I've been in the process of figuring out exactly what to put in that file from the PayPal security team.

In the short term, you can reach out to the PayPal Bug Bounty team: https://www.paypal.com/bugbounty/

[JamieSlome]

@crookedneighbor - thanks for your response 👍

The report can be found here:
https://huntr.dev/bounties/9e5392ab-04a6-4a73-8559-d178e48296f2/

It is currently private, but is accessible to maintainers with repository write permissions 👍 I can ask our researcher to submit their report directly to the HackerOne program, if you would prefer?

[crookedneighbor]

Yes, that would be great. Thank you!

[lodi-g]

Hey @crookedneighbor,

I have discovered a vulnerability as well in the library (which would not be fixed by your PR in progress).
Shall I report it to PayPal's bug bounty? Is braintree related to PayPal?

Edit: reported to PayPal: https://hackerone.com/reports/1564765

Cheers

[crookedneighbor]

Braintree is owned by PayPal, so PayPal's bug bounty is the best way to report vulnerabilities.

[lodi-g]

Hi @crookedneighbor, thanks. The report can be found here: https://hackerone.com/bugs?subject=user&report_id=1564765

[hollabaq86]

for internal tracking, issue 1631