On Thu, 9 Mar 2023, Daniel Gustafsson wrote:
This opens us up to the risk that we've misjudged the severity, and we publish what we think is Low but in reality should've been High (or higher). Ideally this shouldn't happen, and thus the risk is low, but known risks are better than unknown. If we are on the fence regarding severity it should be fine to keep it hidden as per the process for High.
Ah yes, good point. We should be fairly sure of the severity level before we make a (public) PR to fix any security flaw.
Do you think it is worth adding words about that in the SECURITY-PROCESS document?
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
