I've read the security.md file and maybe I'm running a little slow
today, but I still don't understand how I would go about reporting a
serious security bug and what will happen afterwards.
Let's say I find a really serious vulnerability, something that might
let me erase your file system, or perhaps to run some code as root. It
seems irresponsible to provide any level of detail about this in a
public issue tracker beyond saying "contact me, I've found a major
vulnerability". I realize this is a real problem for the development
team because you don't know if I've really found something or I'm a
troll out to waste your time. On the flip side, posting "the string
xxx in a file read by driver yyy will allow me to do <horrible thing>"
in a public issue tracker is just asking for trouble.
Fair point. I've added a commit with the following text "However please
refrain from publicly posting exploits with harmful consequences (data
destruction,
etc.). Only people with the github handles from the [Project Steering
Committee](https://gdal.org/community/index.html#project-steering-committee)
(or people that they would explictly allow) are allowed to ask you
privately for
such dangerous reproducers if that was needed."
--
http://www.spatialys.com
My software is free, but my time generally not.
_______________________________________________
gdal-dev mailing list
[email protected]
https://lists.osgeo.org/mailman/listinfo/gdal-dev
