Marcono1234 created IMAGING-354:
-----------------------------------
Summary: Improve vulnerability reporting
Key: IMAGING-354
URL: https://issues.apache.org/jira/browse/IMAGING-354
Project: Commons Imaging
Issue Type: Improvement
Reporter: Marcono1234
Hello,
on May 1st I wrote to [email protected] and got the response:
{quote}
That team will be in contact with you directly once they have completed their
investigation or if they have further questions for you. Note that as we often
receive a lot of incoming reports, issues are generally dealt with in severity
order so please be patient.
{quote}
Because I hadn't received any response so far, but there was activity in the
commons-imaging repository, I then responded to that mail on June 4th. So far I
still haven't received any response per mail. I think / hope I was reasonably
patient so far, but it would have been nice to have some communication, for
example confirming the issue, asking if a fix would solve the issue,
respectively discussing the fix...
Maybe there was an issue with e-mail communication, but because I received the
initial confirmation that my mail was received, I assumed there was no issue
with e-mail communication.
I am not planning to disclose the issue, neither here nor somewhere else any
time soon, and I am not asking for an immediate fix. It would just be nice to
have communication, see also my previous mail.
As mentioned in my mail, maybe [GitHub private vulnerability
reporting|https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository]
would be good additional way to support vulnerability reporting, which would
also be more transparent than using mails.
CC @ggregory
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
