While you may think they are just investigating the vulnerability there really is a lot more that goes on behind the scenes. I know the second or third CVE we addressed took several days for me to be able to confirm it was actually a vulnerability. I was quite surprised that the DNS system doesn’t follow the spec and reject invalid DNS names on some systems. I couldn’t understand how anything bad could happen with a URL with invalid characters in the host name field. We actually had a few reports on the issue from different sources. One reporter actually then did quite a bit of research to find out which systems rejected the attach and which allowed it.
So I would give the team as much time as they need to respond. Ralph > On Jan 3, 2022, at 8:46 AM, Xeno Amess <xenoam...@gmail.com> wrote: > > It is already slow enough... > > I submitted a vulnerability which I think at least can be 7 points, to an > apache project (not this one) the day before yesterday. > > And they have not finished the investigation yet...two days already... > > And considering this is in vocation, it is normal to assume the actions > will be slower when it is in work-days. > > I know nearly everybody here is a volunteer, myself also be. > > I'm not complaining what, but I just wanna say, things in apache are > already slow, maybe too slow for solving some emergency vulnerability. > > And now we would add another 72-hour voting procedure... > > Xeno Amess <xenoam...@gmail.com> 于2022年1月3日周一 23:39写道: > >> +0 >> >> I just worried several things. >> >> 1. Will it make the cve's fix come out more slowly? >> A vote means waiting for 72 hours usually. >> >> 2. Do all PMC who enter the vote always have enough ability and knowledge >> for notifying how severe a vulnerability? Some vulnerabilities are, seems >> small problem, nothing at all, but would actually do very much damage. >> >> >> Carter Kozak <cko...@ckozak.net> 于2022年1月3日周一 22:53写道: >> >>> +1 >>> >>> -ck >>> >>>> On Jan 3, 2022, at 6:59 AM, Volkan Yazıcı <vol...@yazi.ci> wrote: >>>> >>>> Hello, >>>> >>>> As discussed earlier[1], this is a vote to introduce the process that >>>> enforces CVE submissions and their content should be first subject to >>>> voting using the (private) `secur...@logging.apache.org` mailing list. >>>> >>>> [] +1, accept the process >>>> [] -1, object to the process because... >>>> >>>> The vote will remain open for 72 hours (or more if required). All >>>> votes are welcome and we encourage everyone to participate, but only >>>> Logging PMC votes are “officially” counted. As always, at least 3 +1 >>>> votes and more positive than negative votes are required. >>>> >>>> Kind regards. >>>> >>>> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl >>> >>>