Ask HN: How do you responsibly report security bugs to open-source projects?
18 by WinonaRyder | 7 comments on Hacker News.
I found a DOS vulnerability in an Open Source project whose maintainer seems to be MIA at the moment. I found it in-the-wild, but not as an exploit so I've only made minimal effort to contact said maintainer - no surprise I haven't gotten a response so far. I don't want to draw any attention to it in a bug report and I'm not sure it's OK to dig up email addresses from commit logs either. It also got me thinking: why don't we have a Bug Bounty-like program for Open Source projects as a whole. What I mean is somewhere where we can post sensitive bugs (even for no pay) and have someone who knows what they're doing guide the process of reporting it responsibly. I know some big projects have this, but e.g. look at the mountain of dependencies that most projects are built on - many of them barely maintained.
Sezuleir's blog . Written by Sezuleir ...email: sameerparazulee73@gmail.com If any thing about the blog . Please comment in the comment box .
Subscribe to:
Post Comments (Atom)
New top story on Hacker News: Deepnote (YC S19) Is Hiring (SF, Europe, Prague)
Deepnote (YC S19) Is Hiring (SF, Europe, Prague) 1 by Equiet | 0 comments on Hacker News.
-
Postage Stamps from Bhutan That Double as Playable Vinyl Records (2015) 3 by howard941 | 0 comments on Hacker News.
-
New top story on Hacker News: Uber Drivers discuss giving 1-star ratings to passengers who don't tipUber Drivers discuss giving 1-star ratings to passengers who don't tip 6 by stevenjohns | 0 comments on Hacker News.
No comments:
Post a Comment