This issue has popped as well WRT GitHub emails from Dependabot. Gary
On Sun, Mar 7, 2021, 12:45 Matt Sicker <boa...@gmail.com> wrote: > We could create another private list for static analysis alerts perhaps? > > On Sun, 7 Mar 2021 at 03:51, Stefan Bodewig <bode...@apache.org> wrote: > > > > On 2021-03-07, Fabian Meumertzheim wrote: > > > > > On Sat, Mar 6, 2021 at 10:08 PM Stefan Bodewig <bode...@apache.org> > wrote: > > > > >> OTOH I'm not sure I understand the requirements of OSS-Fuzz. I haven't > > >> read the docs only looked at the image of the process. Seeing a > > >> Sheriffbot tracking deadlines makes the me very uncomfortable. I'm a > > >> volunteer and so are most others around here. > > > > > The disclosure policy for OSS-Fuzz is detailed here: > > > > https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/ > > > Reports will become public after 90 days (plus a 14 day grace period > > > if a patch is close to being released). > > > > Well, 90 days would work for me. Let's hear whether others object. > > > > Extending the deadline if it ends on a wekeend is the opposite of what > > I'd personally need, though :-) > > > > >>> All I would need from you is a list of emails to which the automated > > >>> bug reports should go. The reports are usually directly actionable as > > >>> they include stack traces and minimized reproducers. > > > > >> In general I'd think the notifications list of the Commons project > would > > >> be a the best fit. Of course the nature of the issues detected could > > >> lead to the fuzzer uncovering security critical bugs that we may not > > >> want to become public before a release fixing it has become available. > > > > > I am currently working on improving the automatic security/severity > > > analysis of Java findings in OSS-Fuzz, which should help prioritize > > > the security-relevant bugs (e.g. OoM, infinite loops) over the less > > > important ones (e.g. undeclared exception). > > > > > However, afaik the list of email recipients for a bug currently can't > > > depend on the security content of the bug, so it might be better to > > > choose a private mailing list here. > > > > I see. But I really wouldn't want to use the security list for > > everything. Maybe somebody else got a good idea where to send results? > > > > Stefan > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
