Stefan Eissing4d ago

The security reporting situation that I see at the ASF and in #curl is

- huge increase in reports
- increase of valid reports
- appearance of duplicate/triplicate reports of the same issue by different people

A high profile project needs to deal with 2-4 new reports each day. This is nuts.

One *may* hope this to go down again later this year bc
- unhallucinated issues are finite (see the fuzzing wave)
- eventually it will cost real money to generate these reports

Show threadÉtienne Parmentier
@icing based on your description, it sounds like report submiters don’t check if the issue was already reported ? Or are they spamming reports intentionally and Hope one is getting through ?
Apr 4 at 8:05amWeb
Show threadck4d ago
@tinylittleenormous @icing You cannot see undisclosed reports, so I'd think it's not unlikely to get duplicates since everyone is using all the same tools.
Show threadÉtienne Parmentier4d ago
@icing @ck that’s why ! Thx