|
|
|
|
Ask HN: How do you responsibly report security bugs to Open Source projects? |
|
9 points by WinonaRyder 1 hour ago | hide | past | web | favorite | 2 comments |
|
I found a DOS vulnerability in an Open Source project whose maintainer seems to be MIA at the moment. I found it in-the-wild, but not as an exploit so I've only made minimal effort to contact said maintainer - no surprise I haven't gotten a response so far.
I don't want to draw any attention to it in a bug report and I'm not sure it's OK to dig up email addresses from commit logs either.
It also got me thinking: why don't we have a Bug Bounty-like program for Open Source projects as a whole. What I mean is somewhere where we can post sensitive bugs (even for no pay) and have someone who knows what they're doing guide the process of reporting it responsibly. I know some big projects have this, but e.g. look at the mountain of dependencies that most projects are built on - many of them barely maintained.
|
|
|
|
Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact
|
from Hacker News https://ift.tt/35ay8iq
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.