Hi, apologies for posting here. I could not find any other contact point for my issue. Your HackerOne profile says to email security@gitlab.com
for stuff like this, but after sending an email there, I got an auto-response bounce back asking me to create a support ticket. My concern is not something for support to handle.
Recently someone reached out to me on Twitter noting a security vulnerability in Commonmarker, a Ruby gem used to convert commonmark/markdown to HTML, which I maintain. He says he communicated with several individuals at GitLab to work on a fix. This fix was apparently released in GitLab 15.3.2, 15.2.4 and 15.1.6 CE/EE.
I have two questions about this:
-
Does GitLab have a private fork of this widely used gem? If so, could you be good open source stewards and upstream patches to security issues like this? I am surprised (and disappointed) that no one from your team attempted to contact me about this issue.
-
Can you sponsor me, and the continued maintenance of this gem? Open source is free, but unfortunately the rest of the world is not.
If GitLab relies on my open source project for its operations, I think there is a moral obligation for your company to support me, either financially or with patches. You are of course under no legal obligation to do so! It just seems strange to me, given your company’s open source ethos, to take without giving. If this were just a single security related issue that would be bad enough; but you also use my html-proofer
and html-pipeline
gems, and now I’m concerned that there are potentially several security issues you are not divulging.
Thank you for your attention on this matter.