Re: On reporting issues with potential security implications

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Hi Anatoly,
>
> > Many projects have some private mail list or some other policies for
> > reporting issues with possible security implications. I mean some bugs
> > that the reporter cannot qualify for sure as a "safe to publicly
> > disclose" (still, they can turn out to be not security-related after
> > review).
> >
> > BlueZ, on the other hand, has a policy of "never write to them
> > [developers] directly" and no easily grep-able guidelines on reporting
> > possibly security-related issues. So, what is the preferred way for
> > reporting such things?
>
> unless they are high severity issues that are remotely exploitable to gain root access, I personally have no problem if they are reporting directly to the public mailing list.
>
> For example we have test utilities and development utilities that don’t normally run in production systems. We will fix every issue reported, but they are just bugs and not security issues.

In my case the problem was I would want first get an advice on whether
some reproducer cannot signify "over the air" memory disclosure as
well (yes, I'm not familiar with Bluetooth internals...) and, if yes,
whether such disclosures are issues for BT stack. But, by doing this
via "writing to developers directly", I violate the project policy
that technically can be implemented as a spam filter as well :) So I
cannot know whether that letter was received and just postponed due to
low severity or was filtered out at all.

> Regards
>
> Marcel

Best regards
Anatoly




[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux