Hello,
about 2 months ago I wrote already to this mailing list, mentioning that
the vulnerability reporting workflow is not ideal:
https://lists.apache.org/thread/zo1mlsfx79ylhzj8h9ojohbghp9lx24s
Back then Arnout Engelen responded and asked whether I could provide a
potential fix for the vulnerability I had reported. With a delay of
about 2 weeks I responded privately (with Gary Gregory on CC) referring
to a proof of concept for a general solution to the problem.
Since then I haven't gotten any response.
So far I had assumed that maybe an issue with my e-mail provider, your
e-mail provider or the interaction between them both could have been the
cause for the bad communication and potentially lost mails (which would
be bad enough and another reason why the current reporting approach is
not ideal). But by now I assume that indeed simply no one answered some
of my mails.
Again, as mentioned previously I am not asking for an immediate fix for
the issue (though of course a timely fix would be welcome); I am merely
asking about communication.
In response to what Arnout Engelen wrote last:
this means we are internally tracking it and it will not be forgotten
on our side
[...]
that is unfortunately no guarantee that it will be resolved quickly -
that will not change by changing the reporting mechanism
My previous suggestion for alternative reporting mechanisms wasn't
necessarily meant to speed up resolution (though I assume it could), but
mainly to provide transparency. For someone external like me it is not
obvious at all what happens after the vulnerability was reported and
what the current state of the report is. With other ways of reporting
this would (hopefully) be way more transparent for the reporter.
One important feature of GitHub's private vulnerability reporting is
that you can also privately create a fork for proposing a fix and
discussing it. That is most likely more comfortable and efficient than
any other approach such as mailing patch files.
The experience here for me as reporter was not great so far. To me it
feels like the information provided in my last private response just got
lost.
I know that the issue I reported is not a critical vulnerability, but I
wanted to report it privately first nonetheless to be safe, so that you
can decide. If you don't even consider this a vulnerability then please
create a public Jira issue for it (or allow me to do so), so that I can
properly provide information there.
Kind regards
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
