Due to steady stream of Default Typing related reports on more known "gadget types" (see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for background), I think it makes sense to clarify the procedure I think works best.
First of all, a good first step is to send a note on `i...@fasterxml.com`, explaining basics of what you think is the problem. For most security conscious this can be quite generic and if you really want to, can request my pgp key for sending more secure communications. Or it can contain actual full description. Either way is fine. Once we establish that we (Jackson maintainers) consider this to be security vulnerability worth reporting as a CVE, we will then ask submitter (you) to request a CVE ID, using: https://cve.mitre.org/cve/request_id.html We may also proceed with verification and fix in the meantime. There will be a Jackson(-databind, usually) issue as well, initially with low-res details, but with more details once fix has been released. Above procedure is what submitters have followed so far, for the most part; the main important clarification is the role of submitter as requestor for cve id. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAL4a10huFni8VYOxF7S10ORxAqCZ_MZgB6WcWLJ2%2By2-wgRupA%40mail.gmail.com.
