(dropping security@c.a.o to avoid cross-posting between private and public lists)
On Sat, Jul 15, 2023 at 6:26 PM <some-java-user-99206970363698485...@vodafonemail.de.invalid> wrote: > as suggested in the comments on > https://issues.apache.org/jira/browse/IMAGING-354 I am now raising this > issue here instead. > Thanks for sharing your experience! > In summary, I tried reporting a potential security vulnerability to the > maintainers of Commons Imaging in the past, and at least in my opinion > the communication was not ideal. I know which issue you are referring to. Unfortunately, the reason we haven't provided you with progress updates on it, is because there hasn't _been_ much progress on it. The response time has been longer than we'd like here. This is in part because Apache Commons is a wide-ranging project, and security issues are initially only shared within the Commons Security group. Sometimes it can take a while to find someone with the time, energy and expertise to pick up a particular issue. If you have any time to (privately) contribute to the solution of this issue yourself that would of course be warmly appreciated. In my opinion it would be great to > consider additional / alternative ways to sending vulnerability reports > per mail because you cannot track progress there properly at all, and > you constantly have to keep the issue in the back of your head fearing > that otherwise it might just be forgotten. > Luckily, if you have received our confirmation of the issue, this means we are internally tracking it and it will not be forgotten on our side. As was clearly the case here, that is unfortunately no guarantee that it will be resolved quickly - that will not change by changing the reporting mechanism. That said, allowing vulnerability reports to be provided through alternative ways (such as GitHub Private Vulnerability Reporting) is definitely on our radar. We're working out some challenges to fit it into the rest of our workflow, though, and it will depend on the project whether they choose to use it. Kind regards, -- Arnout Engelen ASF Security Response