[gdal-dev] How to deal with security related bug reports?
Even Rouault
even.rouault at spatialys.com
Thu Jul 29 14:29:01 PDT 2021
> I've read the security.md file and maybe I'm running a little slow
> today, but I still don't understand how I would go about reporting a
> serious security bug and what will happen afterwards.
> Let's say I find a really serious vulnerability, something that might
> let me erase your file system, or perhaps to run some code as root. It
> seems irresponsible to provide any level of detail about this in a
> public issue tracker beyond saying "contact me, I've found a major
> vulnerability". I realize this is a real problem for the development
> team because you don't know if I've really found something or I'm a
> troll out to waste your time. On the flip side, posting "the string
> xxx in a file read by driver yyy will allow me to do <horrible thing>"
> in a public issue tracker is just asking for trouble.
Fair point. I've added a commit with the following text "However please
refrain from publicly posting exploits with harmful consequences (data
destruction,
etc.). Only people with the github handles from the [Project Steering
Committee](https://gdal.org/community/index.html#project-steering-committee)
(or people that they would explictly allow) are allowed to ask you
privately for
such dangerous reproducers if that was needed."
--
http://www.spatialys.com
My software is free, but my time generally not.
More information about the gdal-dev
mailing list