Scope clarification: is llama-index-experimental eligible for huntr bounty? #20899
uchiha100x
started this conversation in
General
Replies: 1 comment
-
|
From my point of view, the cleanest interpretation is to separate bounty scope from repo ownership. If llama-index-experimental is not a first-degree dependency in the published package graph, I would not assume huntr eligibility just because it lives in the same monorepo. In practice I would still use the GitHub Security Advisory path first unless the team explicitly confirms huntr scope, because that avoids a disclosure mistake while maintainers decide how they want to handle the package boundary. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi, I've found a critical severity vulnerability (sandbox escape leading to RCE) in llama-index-experimental
Before I submit, I wanted to clarify scope. The SECURITY.md states that only the main llama-index package and its first-degree dependencies are eligible for huntr bounties. llama-index-experimental doesn't appear as a direct dependency of the main package on PyPI.
However, the package lives in the same GitHub repo, is maintained by the same team, and the affected component (safe_exec) is a core part of documented query engine functionality.
Questions:
Is this eligible for a huntr bounty submission?
If not, should I disclose via the GitHub Security Advisory button instead?
Happy to share full details through whichever channel is appropriate. I have a working PoC.
Beta Was this translation helpful? Give feedback.
All reactions