On 2021-03-07, Gary Gregory wrote: > This issue has popped as well WRT GitHub emails from Dependabot.
I don't think this is comparable. The fuzzer may find issues that can be exploited as DoS attacks, so the results probably should go to a subscription-moderated list IMHO. Stefan > Gary > On Sun, Mar 7, 2021, 12:45 Matt Sicker <boa...@gmail.com> wrote: >> We could create another private list for static analysis alerts perhaps? >> On Sun, 7 Mar 2021 at 03:51, Stefan Bodewig <bode...@apache.org> wrote: >>> On 2021-03-07, Fabian Meumertzheim wrote: >>>> On Sat, Mar 6, 2021 at 10:08 PM Stefan Bodewig <bode...@apache.org> >> wrote: >>>>> OTOH I'm not sure I understand the requirements of OSS-Fuzz. I haven't >>>>> read the docs only looked at the image of the process. Seeing a >>>>> Sheriffbot tracking deadlines makes the me very uncomfortable. I'm a >>>>> volunteer and so are most others around here. >>>> The disclosure policy for OSS-Fuzz is detailed here: >> https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/ >>>> Reports will become public after 90 days (plus a 14 day grace period >>>> if a patch is close to being released). >>> Well, 90 days would work for me. Let's hear whether others object. >>> Extending the deadline if it ends on a wekeend is the opposite of what >>> I'd personally need, though :-) >>>>>> All I would need from you is a list of emails to which the automated >>>>>> bug reports should go. The reports are usually directly actionable as >>>>>> they include stack traces and minimized reproducers. >>>>> In general I'd think the notifications list of the Commons project >> would >>>>> be a the best fit. Of course the nature of the issues detected could >>>>> lead to the fuzzer uncovering security critical bugs that we may not >>>>> want to become public before a release fixing it has become available. >>>> I am currently working on improving the automatic security/severity >>>> analysis of Java findings in OSS-Fuzz, which should help prioritize >>>> the security-relevant bugs (e.g. OoM, infinite loops) over the less >>>> important ones (e.g. undeclared exception). >>>> However, afaik the list of email recipients for a bug currently can't >>>> depend on the security content of the bug, so it might be better to >>>> choose a private mailing list here. >>> I see. But I really wouldn't want to use the security list for >>> everything. Maybe somebody else got a good idea where to send results? >>> Stefan >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>> For additional commands, e-mail: dev-h...@commons.apache.org >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
