【Security】No response to security vulnerability report sent to support@portkey.ai

[Chenpinji]

I am writing to ask whether there is an active process or team managing security vulnerability reports.

I reported two potential security vulnerabilities by emailing support@portkey.ai
about one week ago, but I have not yet received any acknowledgment or response. I wanted to follow up here to ensure that the report was received and to understand the appropriate channel for responsible disclosure.

[Chenpinji]

Hi,

I just wanted to kindly check if there are any updates on this issue.

Please let me know if I can provide any additional information to help move this forward.

Thanks again for your time and effort!

[narengogi]

Hey @Chenpinji could you help me with the title of your email/your email id? I'm unable to see any emails

[Chenpinji]

Hey @narengogi,

I think there may have been a misunderstanding. The emails you listed were not sent by me. The emails I sent have the following subjects:

【Vulnerability】Unbounded Memory Cache Leading to Out-of-Memory (OOM) Vulnerability in Portkey AI Gateway
【Vulnerability】Request Loop Attack Vulnerability in Portkey AI Gateway

My email address is cpj24@mails.tsinghua.edu.cn.

Since it seems that you are not receiving my emails (possibly due to your mail gateway blocking them), I will share the two vulnerability reports with you directly here. Notably, for ethical reasons, I have not shared the PoC here. If possible, could you provide an email address I can contact? I would be happy to send the PoCs to you directly for evaluation.

portkey-ai.md

LOOP_ATTACK_VULNERABILITY_REPORT.md

[narengogi]

@Chenpinji oh okay lol, let me check

[Chenpinji]

Hi, I'm writing to follow up on the valid report of Request Loop Attack Vulnerability in Portkey AI Gateway. What is the current status of this report? If it is valid, would you like to credit us and assign a CVE for this vulnerability?

Thank you very much for your time and effort.

[narengogi]

Yes @Chenpinji let me look at this and create a CVE and credit you

[narengogi]

@Chenpinji thankyou for finding this, I've patched the issue, however it is not a CVE as it does not exfiltrate any security credentials, it only crashes the server and is a bug

Happy to give you a shoutout on linkedin/twitter if that is better for you?

[Chenpinji]

Thanks for the response and for patching the issue — really appreciate it.

I understand your point that this does not involve credential exfiltration. However, since the issue can crash the server, it may still fall under a denial-of-service (DoS) class of vulnerabilities, which is typically considered a security impact in terms of availability.

Would you be open to publishing this via GitHub Security Advisory and assigning a CVE (it's easy to do this in GitHub Security, which just needs to click a button)? In many cases, even DoS-only issues are assigned CVEs for tracking and downstream users’ awareness.

Let me know what you think 🙂