Request for avenue of contact with security team

[rahulhoysala]

Hello. I have identified a vulnerability within the Protobuf codebase which I have reported to Google. The report has been accepted and I am trying to submit a patch as per Google's VRP, but I am unsure where to contact a maintainer or a security analyst to discuss the patch - can I get an avenue for contact, please? I know Github Issues isn't the place for this, but I was unsure how else to reach out and to whom.

[zhangskz]

@rahulhoysala You should be able to reach out to VRP (I believe likely through submitted report) who can coordinate and route communications accordingly.

I've reached out to VRP folks internally to let them know.

[rahulhoysala]

@zhangskz I have submitted the patch through google's VRP submission thread. I was informed that the team had been made aware of the report and are evaluating it, so I assume you know which report it is.
If the patch I have written is compliant with your quality and functionality expectations, please let me know if you can merge it.
I have also officially requested a CVE to be assigned. I wasn't sure if the CNA in this case would be Google or if you would reserve a CVE through Github as the acting CNA, so I thought I'd mention it here for clarification.