Hi! On Thu, 2026-05-28 at 21:24:01 +1000, Tal Carmel wrote: > On Wed, May 27, 2026 at 10:25 PM Simon Josefsson wrote: > > Tal Carmel writes: > > > I'm reaching out on behalf of Delphos Labs because we discovered 2 > > > vulnerabilities in inetutils. > > > > > > What email address should we use for security disclosures? We have POCs > > > which we would like to send securely. > > > > Hi! Thanks for studying inetutils. I believe it is fine to share to > > this public bug-inetutils list, so we all can help work on investigation > > and solutions to problems.
> Just to confirm, are you sure you'd like me to disclose these POCs in a > public list? We would prefer to send this over a secure channel as this > information could be weaponised and effect current users of inetutils. Thank you for your thoughtfulness about the disclosure process! Really appreciated. While I'm not an upstream GNU inetutils maintainer (I just maintain the GNU inetutils packages in Debian), the current disclosure stance from upstream has caused extra pressure and undue burden into both the distro maintainers and their security teams, to try to get together fixes to be able to release security updates for those distros, while there were either no releases from upstream or no ready fixes, which for the last iteration lasted for weeks. :/ Of course distro maintainers will need to keep dealing with whatever disclosure policy upstream decides to keep using, but… Thanks, Guillem
