Point of Contact For Security Issue

[Kwstubbs]

Steps to reproduce

Greetings,

Github Security Lab has found a vulnerability in cloudstream. Please let us know a secure point of contact (email, Private Vulnerability Reporting) so we can disclose issues. We recommend creating a SECURITY.md so future security researchers can contact you.

Thank you,

Kevin Stubbings

Expected behavior

N/A

Actual behavior

N/A

Cloudstream version and commit hash

N/A

Android version

N/A

Logcat

Other details

No response

Acknowledgements

• I am sure my issue is related to the app and NOT some extension.
• I have searched the existing issues and this is a new ticket, NOT a duplicate or related to another open issue.
• I have written a short but informative title.
• I have updated the app to pre-release version Latest.
• I will fill out all of the requested information in this form.

[fire-light42]

I have enabled private security reporting, SECURITY.md is on the way.

CloudStream by design supports arbitrary code execution from installed extensions, this is a major security vulnerability but it is inherent to the design of CloudStream. There are some long term plans to sandbox extensions to lessen the security impact, but ACE from installed extensions is currently considered out of scope.

Bypassing this explicit user installation process would however qualify. We are aware of methods to accomplish this and we will update the app accordingly.