Hi, Don't usually reply/post here, but I work with ROOT on a regular basis and they have a preferred route for reporting vulnerabilities.
https://github.com/root-project/root?tab=security-ov-file#readme Ideally you'd also come to them with a patch, but this is asking a lot when working in ROOT. On the note of delayed posting, I was under the assumption that things should ideally only be posted to oss-security after the coordinated disclosure period and/or if a patch is available. Thanks, Matt Christie On Sun, May 24, 2026 at 12:55 PM Solar Designer <[email protected]> wrote: > Hi, > > On Sun, May 24, 2026 at 10:07:07PM +0700, Manopakorn Kooharueangrong wrote: > > I am requesting that you coordinate a CVE assignment. > > It's been many years since you could request CVE assignment from this > list. I guess this somehow got into the training of some popular LLMs, > since we started getting this sort of requests again lately. > > > == Disclosure == > > > > The fix is already public via PR #22377. I plan to publish this advisory > > once a CVE is assigned, or after 90 days from today if no CVE is > assigned. > > You've just published this advisory to oss-security. We also started > getting this sort of nonsense about delayed publication in postings to > oss-security lately, which again must be the way some LLM is "confused". > > > Please acknowledge receipt. > > Please disclose the specifics of your use of AI in your reports. > > Alexander >
