🔴 Security contact request – TLS-certificate bypass high-severity security issue

[ColeMurray]

Hello maintainers 👋,

We have discovered a high-severity security issue in the default configuration of knowledge_storm that allows outbound HTTPS traffic to skip certificate validation.

• Impact: Man-in-the-middle attackers on the network can intercept API calls and exfiltrate credentials.
• Severity: High (CWE-295 – Improper Certificate Validation)

We’ve prepared:

1. A minimal patch that restores secure defaults
2. A regression test
3. A proof-of-concept to demonstrate exploitability

Could you please share a private channel (PGP-encrypted e-mail or GitHub Private Vulnerability Report) so we can provide full details?

If we don’t hear back, we’ll follow Coordinated Vulnerability Disclosure guidelines and re-contact at 7 and 30 days, aiming for public disclosure no later than 90 days from today (flexible if you acknowledge and need more time).

Thank you & looking forward to working together.

— Cole Murray, Obscure Labs