JLLeitschuh commented on PR #371: URL: https://github.com/apache/commons-io/pull/371#issuecomment-1200142202
> I am sure you are well-intentioned but the path you chose (arg, pun) is not the best one for the community, I do appreciate the pun 😂 > please take the time to read https://commons.apache.org/security.html, specifically, an issue like this one should be reported to the security mailing list before being published in the open. Although I had not read the Apache Commons Security disclosure page, I assure you I am very familiar with the Apache Software Foundation's vulnerability disclosure process. I've disclosed numerous vulnerabilities to the ASF in the past. I also have over 50 CVEs to my name. The problem that I encounter is a matter of scale. I can find tens, hundreds, or sometimes thousands of vulnerabilities in OSS with tools like CodeQL, and GitHub Code Search. The problem that I face is how to actually get those vulnerabilities fixed. I have actually attempted private disclosure to organizations when I encounterd a large scale security vulnerability in the past. It took me months of work ([example](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)). Reporting these vulnerabilities one at a time is impractical due to the scale of the problem. I believe that, when compared with other options, full disclosure with a fix is far superior no disclosure at all. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
