Hi maintainers 👋
I've identified what I assess as a critical-severity security vulnerability in BitFun, reproduced against the current main branch.
I'm intentionally withholding all technical details here — no affected file, component, mechanism, or proof-of-concept — because publicly disclosing an unpatched issue would put current users at risk. This follows the project's own SECURITY.md / coordinated-disclosure policy.
I already have a complete report ready to share privately, including:
- Root-cause analysis and the exact location
- A working, self-contained proof-of-concept
- CVSS 3.1 scoring
- A proposed patch (diff) plus a regression test
What I need to proceed: a private channel. Right now the repo's /security/advisories/new link isn't usable by non-maintainers because Private Vulnerability Reporting appears to be disabled. Please do one of:
- Enable Private Vulnerability Reporting — repo Settings → Code security and analysis → Private vulnerability reporting → Enable. I'll then submit the full report through GitHub Security Advisories; or
- Reply with a private security contact (e.g. a security email) I can send the report to.
Once a private channel is open I'll hand over everything immediately, and I'm happy to coordinate a disclosure timeline after you've had a chance to review and patch.
Flagging as high priority given the severity. Thanks for building BitFun! 🙏
Hi maintainers 👋
I've identified what I assess as a critical-severity security vulnerability in BitFun, reproduced against the current
mainbranch.I'm intentionally withholding all technical details here — no affected file, component, mechanism, or proof-of-concept — because publicly disclosing an unpatched issue would put current users at risk. This follows the project's own
SECURITY.md/ coordinated-disclosure policy.I already have a complete report ready to share privately, including:
What I need to proceed: a private channel. Right now the repo's
/security/advisories/newlink isn't usable by non-maintainers because Private Vulnerability Reporting appears to be disabled. Please do one of:Once a private channel is open I'll hand over everything immediately, and I'm happy to coordinate a disclosure timeline after you've had a chance to review and patch.
Flagging as high priority given the severity. Thanks for building BitFun! 🙏