Mike Fiedler, Code GardenerMay 26
I wonder who I know that knows someone at HackerOne that can convey the message that PyPI explicitly disallows security research packages, and bans users who upload them. Put that in a notice to your users somewhere prominent - since it's become pervasive and a drain on resources.
This also takes time away from legitimate security incident response - so it's a net negative for the world.
Show threadDr. Bruce Simpson
@miketheman What about Scapy? It is often employed as a protocol fuzzer. Does this not satisfy the criterion of "security research" ?
May 26 at 7:20pmWeb
Show threadMike Fiedler, Code GardenerMay 26
@bms48 I don't have any issue with folks uploading **tools** to PyPI, especially if they are clearly described as such.
The issue is amplified when I get 10+ security reports a day with common exploit probing patterns, not tools.
Show threadDr. Bruce SimpsonMay 26
@miketheman Doesn't Dustin Ingram have an answer for this up his sleeve?
Show threadMike Fiedler, Code GardenerMay 26
@bms48 if he does, I have yet to find it - he must be a good magician