A published CVE related to an artifact can also affect projects that depend on it. Disclosing the affected dependent projects in a public forum before they have a chance to provide a fixed version can cause security issues to their users. No harm in requesting a response by using the appropriate communication channels. Please see the page of the ASF Security Team[1] for further information and contact information.
[1] https://www.apache.org/security/ On Fri, 25 Oct 2024 at 15:47, david kerns <david.t.ke...@gmail.com> wrote: > On Fri, Oct 25, 2024 at 6:21 AM Domenico Francesco Bruscino < > bruscin...@gmail.com> wrote: > > > I strongly encourage you to report potential security vulnerabilities to > > secur...@apache.org mailing lists first, before disclosing them in a > > public > > forum. Please see the page of the ASF Security Team[1] for further > > information and contact information. > > > > [1] https://www.apache.org/security/ > > > you are certainly correct about newly discovered vulnerabilities, but once > a CVE is published, the cat is already out of the bag (no harm in > requesting a response) >
