Improve vulnerability reporting process #22231
Assignees
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As part of reporting GHSA-973x-65j7-xcf4 for Aircompressor, I also tried to contact the maintainers here, and there were several problems:
SECURITY.mdhere recommends sending a mail to security@trino.io, but my mail was apparently ignoredSECURITY.md), but my report https://github.com/trinodb/trino/security/advisories/GHSA-hg52-rhfq-x59c was ignored (?)Suggestions
SECURITY.mdthenPersonally I would recommend GitHub private vulnerability reporting because it simplifies some things, e.g.
This is probably most important. Please confirm when you received the report, confirm if you were able to reproduce it. Ask if something is unclear or you disagree with the reporter (maybe there is a misunderstanding). Describe your planned schedule for the fix or publication of the advisory, or mention if you need more time. The reporter usually does not expect that you immediately publish a fix, but just wants to make sure you are aware of the vulnerability and a fix is published eventually.
The worst thing is when you don't respond and the vulnerability is then either never fixed, or the reporter decides to publicly disclose it or directly contacts MITRE. And then you as maintainers are surprised by it and have to rush a fix for it, which risks being incomplete; and your users might be vulnerable in the meantime.
The text was updated successfully, but these errors were encountered: