You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Marcono1234 (Jira)" <ji...@apache.org> on 2023/07/15 14:50:00 UTC

[jira] [Commented] (IMAGING-354) Improve vulnerability reporting

    [ https://issues.apache.org/jira/browse/IMAGING-354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17743401#comment-17743401 ] 

Marcono1234 commented on IMAGING-354:
-------------------------------------

[~ggregory], [~kinow]

Could you please comment on this here and/or respond to my mails. Even if your response is that you don't consider this a vulnerability or that you consider this fixed (which I do not agree with), I would already appreciate that. Then I could properly file a public bug report for this instead. Currently I still have to keep this in the back of the head because otherwise I fear my original report will just be forgotten and the issue remains unresolved.

(maybe the previous ping in the description of this Jira issue wasn't working because I added it retroactively)

> Improve vulnerability reporting
> -------------------------------
>
>                 Key: IMAGING-354
>                 URL: https://issues.apache.org/jira/browse/IMAGING-354
>             Project: Commons Imaging
>          Issue Type: Improvement
>            Reporter: Marcono1234
>            Priority: Major
>
> Hello,
> on May 1st I wrote to security@commons.apache.org and got the response:
> {quote}
> That team will be in contact with you directly once they have completed their investigation or if they have further questions for you. Note that as we often receive a lot of incoming reports, issues are generally dealt with in severity order so please be patient.
> {quote}
> Because I hadn't received any response so far, but there was activity in the commons-imaging repository, I then responded to that mail on June 4th. So far I still haven't received any response per mail. I think / hope I was reasonably patient so far, but it would have been nice to have some communication, for example confirming the issue, asking if a fix would solve the issue, respectively discussing the fix...
> Maybe there was an issue with e-mail communication, but because I received the initial confirmation that my mail was received, I assumed there was no issue with e-mail communication.
> I am not planning to disclose the issue, neither here nor somewhere else any time soon, and I am not asking for an immediate fix. It would just be nice to have communication, see also my previous mail.
> As mentioned in my mail, maybe [GitHub private vulnerability reporting|https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository] would be good additional way to support vulnerability reporting, which would also be more transparent than using mails.
> CC [~ggregory]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)