Hi Anatoly, > Many projects have some private mail list or some other policies for > reporting issues with possible security implications. I mean some bugs > that the reporter cannot qualify for sure as a "safe to publicly > disclose" (still, they can turn out to be not security-related after > review). > > BlueZ, on the other hand, has a policy of "never write to them > [developers] directly" and no easily grep-able guidelines on reporting > possibly security-related issues. So, what is the preferred way for > reporting such things? unless they are high severity issues that are remotely exploitable to gain root access, I personally have no problem if they are reporting directly to the public mailing list. For example we have test utilities and development utilities that don’t normally run in production systems. We will fix every issue reported, but they are just bugs and not security issues. Regards Marcel