Hi, would appreciate some comments on this, either here or at GH. It's a strong opinion but it's only my opinion, I'd welcome any other POV on how to tackle this kind of issues, specially if you feel otherwise.
thx + best regards, juan pablo On Fri, Sep 23, 2022 at 11:32 PM GitBox <g...@apache.org> wrote: > > juanpablo-santos commented on PR #228: > URL: https://github.com/apache/jspwiki/pull/228#issuecomment-1256697358 > > Hi @JLLeitschuh, > > speaking for myself, **not** on behalf of the project, while most of > the time I welcome any PR, I have to say that I find this kind of PRs > disrespectful and irresponsible. Don't get me wrong, I appreciate your > security concerns, but I sincerely think this is not the way. > > Sending bulk e-mails is very similar to how spam works. Furthermore, > proposed code fix has been detected mass scaning OSS projects, without a > check that indeed there is a vulnerability (details on this at the end of > this comment). As a security researcher/whatever you are expected to do at > least that. Every other vulnerability report that we have received has done > that, so sending a security report without checking is somewhat > disrepectful to other security researchers. How the vulnerability can be > exploited is also a nice to have, so the people receiving your reports are > able to fix the issue as fast as possible, but since you have gone the > public way I suppose it is fine as it is. > > You say that you know/hope/think that there is a vulnerability, so you > choose to disclose publicly because you don't have time to go to every > project and check how do they manage these kind of issues. Please respect > everybody else's time, which will probably be as scarce and valuable as > yours, and play nice. Think of it as if part of your security research > involves time on those tasks. Same for verifying whatever the tooling you > use has found. Yes, you would probably not reach as many projects, but > that's just a matter of quality over quantity. Also, since you are > targetting GitHub projects, here's a hint: most of them contain a Security > tab at the top of each repo with further instructions. For ASF projects, > you can directly follow up with [these instructions]( > https://apache.org/security/); since there are more than 200 ASF > projects, plus the incubating ones, surely that's worth automating. > > Really, full public disclosure does not help anyone: best case > scenario, there isn't really a security vulnerability, and some mantainer > will have to write back to someone who thinks that mass e-mailing projects > is fine, after wasting his/her time looking if the report is really valid. > Worst case scenario, let's say you find the next log4shell issue; I fail to > see how it would be a good idea to publicly disclose that. Seriously. Don't > blame lack of GH infrastructure and just be responsible. Doing otherwise is > not cool. > > As for the proposed one line fix, there's a comparison between a path's > file and a directory whose path can't be reached or managed by an end-user, > so I can't see how the reported vulnerability could be exploited, nor the > need to security-harden it. Would be nice if you could follow up with this, > most preferably following [these guidelines]( > https://github.com/apache/jspwiki/security/policy). > > best regards, > > > -- > This is an automated message from the Apache Git Service. > To respond to the message, please log on to GitHub and use the > URL above to go to the specific comment. > > To unsubscribe, e-mail: dev-unsubscr...@jspwiki.apache.org > > For queries about this service, please contact Infrastructure at: > us...@infra.apache.org > >
