Ask HN: How do you responsibly report security bugs to open-source projects?
16 by WinonaRyder | 6 comments on Hacker News.
I found a DOS vulnerability in an Open Source project whose maintainer seems to be MIA at the moment. I found it in-the-wild, but not as an exploit so I've only made minimal effort to contact said maintainer - no surprise I haven't gotten a response so far. I don't want to draw any attention to it in a bug report and I'm not sure it's OK to dig up email addresses from commit logs either. It also got me thinking: why don't we have a Bug Bounty-like program for Open Source projects as a whole. What I mean is somewhere where we can post sensitive bugs (even for no pay) and have someone who knows what they're doing guide the process of reporting it responsibly. I know some big projects have this, but e.g. look at the mountain of dependencies that most projects are built on - many of them barely maintained.
Tuesday, December 31, 2019
New top story on Hacker News: Ask HN: How do you responsibly report security bugs to open-source projects?
Tags
# Hacker News
![]()
About Unknown
India Hindi News App Brings You The Latest News And Videos From The Hindi Top Breaking News Studios In India. Stay Tuned To The Latest News Stories From India And The World. Access Videos And Photos On Your Device With The Hindi Top Breaking News India News App
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment