[
https://issues.apache.org/jira/browse/IMAGING-354?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marcono1234 updated IMAGING-354:
--------------------------------
Description:
Hello,
on May 1st I wrote to [email protected] and got the response:
{quote}
That team will be in contact with you directly once they have completed their
investigation or if they have further questions for you. Note that as we often
receive a lot of incoming reports, issues are generally dealt with in severity
order so please be patient.
{quote}
Because I hadn't received any response so far, but there was activity in the
commons-imaging repository, I then responded to that mail on June 4th. So far I
still haven't received any response per mail. I think / hope I was reasonably
patient so far, but it would have been nice to have some communication, for
example confirming the issue, asking if a fix would solve the issue,
respectively discussing the fix...
Maybe there was an issue with e-mail communication, but because I received the
initial confirmation that my mail was received, I assumed there was no issue
with e-mail communication.
I am not planning to disclose the issue, neither here nor somewhere else any
time soon, and I am not asking for an immediate fix. It would just be nice to
have communication, see also my previous mail.
As mentioned in my mail, maybe [GitHub private vulnerability
reporting|https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository]
would be good additional way to support vulnerability reporting, which would
also be more transparent than using mails.
CC [~ggregory]
was:
Hello,
on May 1st I wrote to [email protected] and got the response:
{quote}
That team will be in contact with you directly once they have completed their
investigation or if they have further questions for you. Note that as we often
receive a lot of incoming reports, issues are generally dealt with in severity
order so please be patient.
{quote}
Because I hadn't received any response so far, but there was activity in the
commons-imaging repository, I then responded to that mail on June 4th. So far I
still haven't received any response per mail. I think / hope I was reasonably
patient so far, but it would have been nice to have some communication, for
example confirming the issue, asking if a fix would solve the issue,
respectively discussing the fix...
Maybe there was an issue with e-mail communication, but because I received the
initial confirmation that my mail was received, I assumed there was no issue
with e-mail communication.
I am not planning to disclose the issue, neither here nor somewhere else any
time soon, and I am not asking for an immediate fix. It would just be nice to
have communication, see also my previous mail.
As mentioned in my mail, maybe [GitHub private vulnerability
reporting|https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository]
would be good additional way to support vulnerability reporting, which would
also be more transparent than using mails.
CC @ggregory
> Improve vulnerability reporting
> -------------------------------
>
> Key: IMAGING-354
> URL: https://issues.apache.org/jira/browse/IMAGING-354
> Project: Commons Imaging
> Issue Type: Improvement
> Reporter: Marcono1234
> Priority: Major
>
> Hello,
> on May 1st I wrote to [email protected] and got the response:
> {quote}
> That team will be in contact with you directly once they have completed their
> investigation or if they have further questions for you. Note that as we
> often receive a lot of incoming reports, issues are generally dealt with in
> severity order so please be patient.
> {quote}
> Because I hadn't received any response so far, but there was activity in the
> commons-imaging repository, I then responded to that mail on June 4th. So far
> I still haven't received any response per mail. I think / hope I was
> reasonably patient so far, but it would have been nice to have some
> communication, for example confirming the issue, asking if a fix would solve
> the issue, respectively discussing the fix...
> Maybe there was an issue with e-mail communication, but because I received
> the initial confirmation that my mail was received, I assumed there was no
> issue with e-mail communication.
> I am not planning to disclose the issue, neither here nor somewhere else any
> time soon, and I am not asking for an immediate fix. It would just be nice to
> have communication, see also my previous mail.
> As mentioned in my mail, maybe [GitHub private vulnerability
> reporting|https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository]
> would be good additional way to support vulnerability reporting, which would
> also be more transparent than using mails.
> CC [~ggregory]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
