juanpablo-santos commented on PR #228: URL: https://github.com/apache/jspwiki/pull/228#issuecomment-1256697358
Hi @JLLeitschuh, speaking for myself, **not** on behalf of the project, while most of the time I welcome any PR, I have to say that I find this kind of PRs disrespectful and irresponsible. Don't get me wrong, I appreciate your security concerns, but I sincerely think this is not the way. Sending bulk e-mails is very similar to how spam works. Furthermore, proposed code fix has been detected mass scaning OSS projects, without a check that indeed there is a vulnerability (details on this at the end of this comment). As a security researcher/whatever you are expected to do at least that. Every other vulnerability report that we have received has done that, so sending a security report without checking is somewhat disrepectful to other security researchers. How the vulnerability can be exploited is also a nice to have, so the people receiving your reports are able to fix the issue as fast as possible, but since you have gone the public way I suppose it is fine as it is. You say that you know/hope/think that there is a vulnerability, so you choose to disclose publicly because you don't have time to go to every project and check how do they manage these kind of issues. Please respect everybody else's time, which will probably be as scarce and valuable as yours, and play nice. Think of it as if part of your security research involves time on those tasks. Same for verifying whatever the tooling you use has found. Yes, you would probably not reach as many projects, but that's just a matter of quality over quantity. Also, since you are targetting GitHub projects, here's a hint: most of them contain a Security tab at the top of each repo with further instructions. For ASF projects, you can directly follow up with [these instructions](https://apache.org/security/); since there are more than 200 ASF projects, plus the incubating ones, surely that's worth automating. Really, full public disclosure does not help anyone: best case scenario, there isn't really a security vulnerability, and some mantainer will have to write back to someone who thinks that mass e-mailing projects is fine, after wasting his/her time looking if the report is really valid. Worst case scenario, let's say you find the next log4shell issue; I fail to see how it would be a good idea to publicly disclose that. Seriously. Don't blame lack of GH infrastructure and just be responsible. Doing otherwise is not cool. As for the proposed one line fix, there's a comparison between a path's file and a directory whose path can't be reached or managed by an end-user, so I can't see how the reported vulnerability could be exploited, nor the need to security-harden it. Would be nice if you could follow up with this, most preferably following [these guidelines](https://github.com/apache/jspwiki/security/policy). best regards, -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@jspwiki.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
