Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp5571108ybf;
        Thu, 5 Mar 2020 03:08:09 -0800 (PST)
X-Google-Smtp-Source: ADFU+vuckWS2LDN/UA2kGUIXnEQX9B0nJ4uWCcYLNUaeC6RZM6M8Pycp2yEYFLlQ665mseeZzcy7
X-Received: by 2002:a9d:6957:: with SMTP id p23mr6066743oto.60.1583406489326;
        Thu, 05 Mar 2020 03:08:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1583406489; cv=none;
        d=google.com; s=arc-20160816;
        b=ca8m0cZ30nb6ZrAhC56TRY+HVKLaT6uSLPPldZe+RCGqS0vk3wpt/bms9MvO+ijFq/
         cGdoMFAaLKAzQORsdDNuSwrzEhqh3zAG2gZje/rctfZt6OneSnblEpVamV1Ec8mS8cYA
         lpy/w1uwdwypJ8PRsQdnuu4pqNJaAhr936TiKvonKJigjnSCrFr1+w2T9rYJMuAnaBOM
         5gY2b0l44qPJV7k0FuqXozVPNzKvMZr/i4d+T0gD8ZiAx4wgGK/xfQRKd5pM8++hpejW
         km7TeTeoLpVlOOUX6HmHXy5mKJROavwrmS8GwB0rAEOSJgy8ATPlRoXP6vbbrElKQ40J
         Nupw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version;
        bh=osKMKwEIxBJGUt/3dVnHCKeBdVqWMgF3OeXnwpi3jGk=;
        b=VKg73MJFOoSuvB/EINO2OS6nKLVhh4GCXfMYqziUFmcG0ALtMc1XO5zR0+aJIarN8m
         YJ8Pd8FSfZOP9Gp7Jc8mxuqEkNC7GeKttUWVhyD9CqN2vigvuRvGsYzl5eEVZGTlB92n
         7EhdR8jCotm3vfXHPyFVvGMN8A1rnOc03/DDK1Y44TciGFAduApysfIg+vltLwyxULlT
         zBmKmHWNg/bSzkNrI2v7TkgDkTPGFBKdmjnJes3Ls+gVkXTynLhGBzoPAP5QKA8atIRb
         2e2hMGngTfwULHLgJ33e/7BwSoIw8D0rpXHMkpgkOWNAharj5Q+DxirZh/ib35xQmMIr
         ia/A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t6si3370283otp.133.2020.03.05.03.07.56;
        Thu, 05 Mar 2020 03:08:09 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725903AbgCELHz convert rfc822-to-8bit (ORCPT
        <rfc822;chrisbkr2020@gmail.com> + 99 others);
        Thu, 5 Mar 2020 06:07:55 -0500
Received: from coyote.holtmann.net ([212.227.132.17]:43711 "EHLO
        mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725897AbgCELHz (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Thu, 5 Mar 2020 06:07:55 -0500
Received: from marcel-macbook.fritz.box (p4FEFC5A7.dip0.t-ipconnect.de [79.239.197.167])
        by mail.holtmann.org (Postfix) with ESMTPSA id AFB7BCECE9;
        Thu,  5 Mar 2020 12:17:21 +0100 (CET)
Content-Type: text/plain;
        charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Subject: Re: On reporting issues with potential security implications
From:   Marcel Holtmann <marcel@holtmann.org>
In-Reply-To: <CAE5jQCeQfyPu7T4mHutYwUjK04P8MyYS8NmTC8pm4sZkHQRRNA@mail.gmail.com>
Date:   Thu, 5 Mar 2020 12:07:53 +0100
Cc:     Bluez mailing list <linux-bluetooth@vger.kernel.org>
Content-Transfer-Encoding: 8BIT
Message-Id: <BE6FA083-5826-4A77-8EF3-D5485D421AA9@holtmann.org>
References: <CAE5jQCeQfyPu7T4mHutYwUjK04P8MyYS8NmTC8pm4sZkHQRRNA@mail.gmail.com>
To:     Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Anatoly,

> Many projects have some private mail list or some other policies for
> reporting issues with possible security implications. I mean some bugs
> that the reporter cannot qualify for sure as a "safe to publicly
> disclose" (still, they can turn out to be not security-related after
> review).
> 
> BlueZ, on the other hand, has a policy of "never write to them
> [developers] directly" and no easily grep-able guidelines on reporting
> possibly security-related issues. So, what is the preferred way for
> reporting such things?

unless they are high severity issues that are remotely exploitable to gain root access, I personally have no problem if they are reporting directly to the public mailing list.

For example we have test utilities and development utilities that don’t normally run in production systems. We will fix every issue reported, but they are just bugs and not security issues.

Regards

Marcel