Closed fcanogab closed 2 years ago
Maybe a recommendation that creating a public github issue is perhaps not the best way to report a vulnerability? And that you should check for a security policy or another channel to responsibly disclose?
(but maybe that isn't in scope for the verification of findings initiative)
This looks like it overlaps with the OpenSSF Vulnerability Disclosures WG: https://github.com/ossf/wg-vulnerability-disclosures - I recommend coordinating with them.
Also: If it's an OSS project, in many cases OSS projects expect source code changes.
At the least, reproducibility is a minimum bar; without that, it's impossible to determine if it's there or if it's fixed.
I'd like to discuss where we are with this discussion at the WG meeting this week.
@ware we talked that it was probably better to include this in the Vulnerability Disclosure WG and in that group they thought this has not got enough significance to be a project by itself. I think we can close this issue.