Closed rbouqueau closed 1 year ago
psmoros
commented
2 years ago Hey @rbouqueau! Happy new year and thanks your suggestion!
You'd like to publish reports that haven't been fixed (but have been reviewed and validated) in order to avoid duplicate disclosures right?
rbouqueau
commented
2 years ago in order to avoid duplicate disclosures right?
Nope, I hadn't thought of that but that's a nice side-effect.
As maintainers we are trying to avoid endless copy-pastes from private platforms to our public github. So 1) is about putting the link to your platform from our github and 2) is (even better) copying the information into a github issue on our side.
The delay for fixing issues reported by email is so much longer than on github. Emails from security teams get lost at a surprising high rate (e.g. the one from huntr did only reach one person). And it requires internal team synchronization (from mostly benevolent contributors in all timezones) while we can handle this easily from github.
Hi all, thanks for all the hard work here!
Following a discussion with @JamieSlome here, we've identified two possible incremental improvements: 1) Allow maintainers to change the visibility of a report. Practically making it public would allow us to not duplicate each report, hence reducing our workload. 2) Even better, propose to create a github issue when making the report public. That would lower the friction to the minimum.