Seth Larson

Respecting maintainer time should be in security policies. Even better: you don't even have to mention the elephant in the room!

https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies

#opensource #oss #security

Respecting maintainer time should be in security policies

Generative AI tools becoming more common means that vulnerability reports these days are loooong. If you're an open source maintainer, you unfortunately know what I'm talking about. Markdown-format...

sethmlarson.dev
Feb 24 at 4:03pmWeb
Show threadDamian YerrickFeb 24
@sethmlarson I'm not sure what to make of "Reports must not make a determination whether a behavior of the software represents a vulnerability." A lot of issue trackers give the reporter an option to hide a report from public view until a fix is released. The decision to check that box feels like such a "determination." Should a reporter file the issue publicly until the maintainer takes it private?
Show threadSeth LarsonFeb 25

@PinoBatch Yeah my phrasing is a bit opaque... let me try to clarify.

What I meant here is that sometimes reporters will come to a project having already determined that whatever they found is a vulnerability. If there isn't a threat model, then this can't be done without also talking to the maintainer.