Are we talking about a human sending emails to the security list or letting the actual tool loose on the list to possibly spam it with false positives?
Gary On Mon, Mar 8, 2021, 02:56 Peter Lee <peter...@apache.org> wrote: > I think the security list is a good choice. > > Lee > On 3 8 2021, at 2:55, Stefan Bodewig <bode...@apache.org> wrote: > > On 2021-03-07, Gary Gregory wrote: > > > > > This issue has popped as well WRT GitHub emails from Dependabot. > > I don't think this is comparable. > > The fuzzer may find issues that can be exploited as DoS attacks, so the > > results probably should go to a subscription-moderated list IMHO. > > > > Stefan > > > Gary > > > On Sun, Mar 7, 2021, 12:45 Matt Sicker <boa...@gmail.com> wrote: > > >> We could create another private list for static analysis alerts > perhaps? > > >> On Sun, 7 Mar 2021 at 03:51, Stefan Bodewig <bode...@apache.org> > wrote: > > >>> On 2021-03-07, Fabian Meumertzheim wrote: > > >>>> On Sat, Mar 6, 2021 at 10:08 PM Stefan Bodewig <bode...@apache.org> > > >> wrote: > > > > >>>>> OTOH I'm not sure I understand the requirements of OSS-Fuzz. I > haven't > > >>>>> read the docs only looked at the image of the process. Seeing a > > >>>>> Sheriffbot tracking deadlines makes the me very uncomfortable. I'm > a > > >>>>> volunteer and so are most others around here. > > > > >>>> The disclosure policy for OSS-Fuzz is detailed here: > > >> > https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/ > > >>>> Reports will become public after 90 days (plus a 14 day grace period > > >>>> if a patch is close to being released). > > > > >>> Well, 90 days would work for me. Let's hear whether others object. > > >>> Extending the deadline if it ends on a wekeend is the opposite of > what > > >>> I'd personally need, though :-) > > > > >>>>>> All I would need from you is a list of emails to which the > automated > > >>>>>> bug reports should go. The reports are usually directly > actionable as > > >>>>>> they include stack traces and minimized reproducers. > > > > >>>>> In general I'd think the notifications list of the Commons project > > >> would > > >>>>> be a the best fit. Of course the nature of the issues detected > could > > >>>>> lead to the fuzzer uncovering security critical bugs that we may > not > > >>>>> want to become public before a release fixing it has become > available. > > > > >>>> I am currently working on improving the automatic security/severity > > >>>> analysis of Java findings in OSS-Fuzz, which should help prioritize > > >>>> the security-relevant bugs (e.g. OoM, infinite loops) over the less > > >>>> important ones (e.g. undeclared exception). > > > > >>>> However, afaik the list of email recipients for a bug currently > can't > > >>>> depend on the security content of the bug, so it might be better to > > >>>> choose a private mailing list here. > > > > >>> I see. But I really wouldn't want to use the security list for > > >>> everything. Maybe somebody else got a good idea where to send > results? > > > > >>> Stefan > > >>> --------------------------------------------------------------------- > > >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > >>> For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > >> For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > >
