GitHub user eladkal added a comment to the discussion: CVE-2024-49767

> Do you really want everyone that runs a scan on Airflow to contact the 
> security email address to ask this question?

Our policy states that we do not accept reports of automated scans. If you 
believe Airflow is affected by any security issue you should report to the 
security email address with clear explnation of what the risk is and how it can 
be exploited. If you can't specify how it can be exploited the report will be 
automatically rejected. There are dozens of automated tools that generated many 
false report and there are many people who reports thoughts/concerns/questions. 
As open source project that is consistent mostly with volunteers we can not 
triage and handle such traffic volume so we expect the reporter to do the extra 
mile and verify that the problem being reported is real.

You are also very welcome to raise your thoughts on the poicy itself with the 
same email if you believe it should change and can offer reasoning for it.

GitHub link: 
https://github.com/apache/airflow/discussions/44865#discussioncomment-11540701

----
This is an automatically sent email for commits@airflow.apache.org.
To unsubscribe, please send an email to: commits-unsubscr...@airflow.apache.org

Reply via email to