On 7/29/2021 11:20 AM, Even Rouault
wrote:
I've created https://github.com/OSGeo/gdal/pull/4152 with a SECURITY.md that largely uses Kurt's proposal.
Even
I've read the security.md file and maybe I'm running a little slow today, but I still don't understand how I would go about reporting a serious security bug and what will happen afterwards.
Let's say I find a really serious vulnerability, something that might let me erase your file system, or perhaps to run some code as root. It seems irresponsible to provide any level of detail about this in a public issue tracker beyond saying "contact me, I've found a major vulnerability". I realize this is a real problem for the development team because you don't know if I've really found something or I'm a troll out to waste your time. On the flip side, posting "the string xxx in a file read by driver yyy will allow me to do <horrible thing>" in a public issue tracker is just asking for trouble.
How am I supposed to proceed and what response can I reasonably expect?
On the plus side for a public issue tracker, if I'm a developer on a system that relies on gdal (eg, QGIS), I can easily keep tabs on reported issues.
_______________________________________________ gdal-dev mailing list gdal-dev@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/gdal-dev
