Stefan Eissing2d ago

The security reporting situation that I see at the ASF and in #curl is

- huge increase in reports
- increase of valid reports
- appearance of duplicate/triplicate reports of the same issue by different people

A high profile project needs to deal with 2-4 new reports each day. This is nuts.

One *may* hope this to go down again later this year bc
- unhallucinated issues are finite (see the fuzzing wave)
- eventually it will cost real money to generate these reports

Show threadRoger Sen2d ago
@icing a reporting tool able to identify duplicates (reports around he same bugs) would be useful and not to difficult to code.
Show threadSteve Loughran
@rogersm @icing issue is that security reports are not processed through the same issue tracker, and if there is a real CVE they'll be fixed "discreetly" and not fully announced until a patched release ships.
If the same shipped code is scanned multiple times by the same agent, it's probably going to find the same issues, real or not
Apr 4 at 8:37amWeb