You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Bernd Eckenfels (Jira)" <ji...@apache.org> on 2023/07/15 15:11:00 UTC

[jira] [Closed] (IMAGING-354) Improve vulnerability reporting

     [ https://issues.apache.org/jira/browse/IMAGING-354?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bernd Eckenfels closed IMAGING-354.
-----------------------------------
    Resolution: Invalid

Sorry that you had such a bad communication regarding a security issue. However the brackermis Notwehr right way to contact the PMC or the security team.

I would discuss this on the developer list, maybe with cc to the PMC-private list as well as the ASF security team.

Btw I cant comment on the actual issue, I am missing the background.

> Improve vulnerability reporting
> -------------------------------
>
>                 Key: IMAGING-354
>                 URL: https://issues.apache.org/jira/browse/IMAGING-354
>             Project: Commons Imaging
>          Issue Type: Improvement
>            Reporter: Marcono1234
>            Priority: Major
>
> Hello,
> on May 1st I wrote to security@commons.apache.org and got the response:
> {quote}
> That team will be in contact with you directly once they have completed their investigation or if they have further questions for you. Note that as we often receive a lot of incoming reports, issues are generally dealt with in severity order so please be patient.
> {quote}
> Because I hadn't received any response so far, but there was activity in the commons-imaging repository, I then responded to that mail on June 4th. So far I still haven't received any response per mail. I think / hope I was reasonably patient so far, but it would have been nice to have some communication, for example confirming the issue, asking if a fix would solve the issue, respectively discussing the fix...
> Maybe there was an issue with e-mail communication, but because I received the initial confirmation that my mail was received, I assumed there was no issue with e-mail communication.
> I am not planning to disclose the issue, neither here nor somewhere else any time soon, and I am not asking for an immediate fix. It would just be nice to have communication, see also my previous mail.
> As mentioned in my mail, maybe [GitHub private vulnerability reporting|https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository] would be good additional way to support vulnerability reporting, which would also be more transparent than using mails.
> CC [~ggregory]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)