I think the security list is a good choice.
Lee
On 3 8 2021, at 2:55, Stefan Bodewig <bode...@apache.org> wrote:
> On 2021-03-07, Gary Gregory wrote:
>
> > This issue has popped as well WRT GitHub emails from Dependabot.
> I don't think this is comparable.
> The fuzzer may find issues that can be exploited as DoS attacks, so the
> results probably should go to a subscription-moderated list IMHO.
>
> Stefan
> > Gary
> > On Sun, Mar 7, 2021, 12:45 Matt Sicker <boa...@gmail.com> wrote:
> >> We could create another private list for static analysis alerts perhaps?
> >> On Sun, 7 Mar 2021 at 03:51, Stefan Bodewig <bode...@apache.org> wrote:
> >>> On 2021-03-07, Fabian Meumertzheim wrote:
> >>>> On Sat, Mar 6, 2021 at 10:08 PM Stefan Bodewig <bode...@apache.org>
> >> wrote:
>
> >>>>> OTOH I'm not sure I understand the requirements of OSS-Fuzz. I haven't
> >>>>> read the docs only looked at the image of the process. Seeing a
> >>>>> Sheriffbot tracking deadlines makes the me very uncomfortable. I'm a
> >>>>> volunteer and so are most others around here.
>
> >>>> The disclosure policy for OSS-Fuzz is detailed here:
> >> https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/
> >>>> Reports will become public after 90 days (plus a 14 day grace period
> >>>> if a patch is close to being released).
>
> >>> Well, 90 days would work for me. Let's hear whether others object.
> >>> Extending the deadline if it ends on a wekeend is the opposite of what
> >>> I'd personally need, though :-)
>
> >>>>>> All I would need from you is a list of emails to which the automated
> >>>>>> bug reports should go. The reports are usually directly actionable as
> >>>>>> they include stack traces and minimized reproducers.
>
> >>>>> In general I'd think the notifications list of the Commons project
> >> would
> >>>>> be a the best fit. Of course the nature of the issues detected could
> >>>>> lead to the fuzzer uncovering security critical bugs that we may not
> >>>>> want to become public before a release fixing it has become available.
>
> >>>> I am currently working on improving the automatic security/severity
> >>>> analysis of Java findings in OSS-Fuzz, which should help prioritize
> >>>> the security-relevant bugs (e.g. OoM, infinite loops) over the less
> >>>> important ones (e.g. undeclared exception).
>
> >>>> However, afaik the list of email recipients for a bug currently can't
> >>>> depend on the security content of the bug, so it might be better to
> >>>> choose a private mailing list here.
>
> >>> I see. But I really wouldn't want to use the security list for
> >>> everything. Maybe somebody else got a good idea where to send results?
>
> >>> Stefan
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> >>> For additional commands, e-mail: dev-h...@commons.apache.org
>
>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> >> For additional commands, e-mail: dev-h...@commons.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
