On Sat, Mar 6, 2021 at 10:08 PM Stefan Bodewig <bode...@apache.org> wrote:
> OTOH I'm not sure I understand the requirements of OSS-Fuzz. I haven't > read the docs only looked at the image of the process. Seeing a > Sheriffbot tracking deadlines makes the me very uncomfortable. I'm a > volunteer and so are most others around here. The disclosure policy for OSS-Fuzz is detailed here: https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/ Reports will become public after 90 days (plus a 14 day grace period if a patch is close to being released). > > > All I would need from you is a list of emails to which the automated > > bug reports should go. The reports are usually directly actionable as > > they include stack traces and minimized reproducers. > > In general I'd think the notifications list of the Commons project would > be a the best fit. Of course the nature of the issues detected could > lead to the fuzzer uncovering security critical bugs that we may not > want to become public before a release fixing it has become available. I am currently working on improving the automatic security/severity analysis of Java findings in OSS-Fuzz, which should help prioritize the security-relevant bugs (e.g. OoM, infinite loops) over the less important ones (e.g. undeclared exception). However, afaik the list of email recipients for a bug currently can't depend on the security content of the bug, so it might be better to choose a private mailing list here. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
