> Hi Anatoly, > > > Many projects have some private mail list or some other policies for > > reporting issues with possible security implications. I mean some bugs > > that the reporter cannot qualify for sure as a "safe to publicly > > disclose" (still, they can turn out to be not security-related after > > review). > > > > BlueZ, on the other hand, has a policy of "never write to them > > [developers] directly" and no easily grep-able guidelines on reporting > > possibly security-related issues. So, what is the preferred way for > > reporting such things? > > unless they are high severity issues that are remotely exploitable to gain root access, I personally have no problem if they are reporting directly to the public mailing list. > > For example we have test utilities and development utilities that don’t normally run in production systems. We will fix every issue reported, but they are just bugs and not security issues. In my case the problem was I would want first get an advice on whether some reproducer cannot signify "over the air" memory disclosure as well (yes, I'm not familiar with Bluetooth internals...) and, if yes, whether such disclosures are issues for BT stack. But, by doing this via "writing to developers directly", I violate the project policy that technically can be implemented as a spam filter as well :) So I cannot know whether that letter was received and just postponed due to low severity or was filtered out at all. > Regards > > Marcel Best regards Anatoly