Hello, What is the modus operandi for submitting multiple CVEs in the same bug report?
I ask because I recently submitted a bug on php5 and got pushback from the maintainer saying that I should not have submitted multiple vulnerabilites in one report [1]. >From my perspective, being able to submit multiple vulns makes the job of the security team (and assistants) much easier and straightforward. And if the maintainer prefers to track vulnerabilities individually, then they always have the option to do so at their own leisure (via cloning). It may be useful to state this as the common practice/policy in the security-tracker overview doc. If there are no objections, I will modify the wording to include such a statement. Thanks, Mike [1] http://bugs.debian.org/523028 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
