Hello,
Many projects have some private mail list or some other policies for
reporting issues with possible security implications. I mean some bugs
that the reporter cannot qualify for sure as a "safe to publicly
disclose" (still, they can turn out to be not security-related after
review).
BlueZ, on the other hand, has a policy of "never write to them
[developers] directly" and no easily grep-able guidelines on reporting
possibly security-related issues. So, what is the preferred way for
reporting such things?
Best regards
Anatoly
Hi Anatoly,
> Many projects have some private mail list or some other policies for
> reporting issues with possible security implications. I mean some bugs
> that the reporter cannot qualify for sure as a "safe to publicly
> disclose" (still, they can turn out to be not security-related after
> review).
>
> BlueZ, on the other hand, has a policy of "never write to them
> [developers] directly" and no easily grep-able guidelines on reporting
> possibly security-related issues. So, what is the preferred way for
> reporting such things?
unless they are high severity issues that are remotely exploitable to gain root access, I personally have no problem if they are reporting directly to the public mailing list.
For example we have test utilities and development utilities that don’t normally run in production systems. We will fix every issue reported, but they are just bugs and not security issues.
Regards
Marcel
> Hi Anatoly,
>
> > Many projects have some private mail list or some other policies for
> > reporting issues with possible security implications. I mean some bugs
> > that the reporter cannot qualify for sure as a "safe to publicly
> > disclose" (still, they can turn out to be not security-related after
> > review).
> >
> > BlueZ, on the other hand, has a policy of "never write to them
> > [developers] directly" and no easily grep-able guidelines on reporting
> > possibly security-related issues. So, what is the preferred way for
> > reporting such things?
>
> unless they are high severity issues that are remotely exploitable to gain root access, I personally have no problem if they are reporting directly to the public mailing list.
>
> For example we have test utilities and development utilities that don’t normally run in production systems. We will fix every issue reported, but they are just bugs and not security issues.
In my case the problem was I would want first get an advice on whether
some reproducer cannot signify "over the air" memory disclosure as
well (yes, I'm not familiar with Bluetooth internals...) and, if yes,
whether such disclosures are issues for BT stack. But, by doing this
via "writing to developers directly", I violate the project policy
that technically can be implemented as a spam filter as well :) So I
cannot know whether that letter was received and just postponed due to
low severity or was filtered out at all.
> Regards
>
> Marcel
Best regards
Anatoly