public inbox for gdb@sourceware.org
 help / color / mirror / Atom feed
* Security issue reporting mechanism
@ 2023-09-15 12:44 Mark Wielaard
  0 siblings, 0 replies; only message in thread
From: Mark Wielaard @ 2023-09-15 12:44 UTC (permalink / raw)
  To: gdb

Hi gdb hackers,

Because we approve bugzilla account requests we (sourceware overseers,
specifically the admin-requests team) get contacted from time to time
by people wanting to report what they believe is a security issue in
GDB.

Although the top-level SECURITY.txt says to look under the gdb
directory for a similarly named file, there is no such file:
https://sourceware.org/cgit/binutils-gdb/tree/SECURITY.txt

For now we have each time briefly discussed such issues on
irc.libera.chat in the #gdb channel to see how people feel about
forwarding a report to either the binutils team, just ask people to
report the issue publicly in bugzilla or ask the reporter to contact
secalert@redhat.com (which has a good reputation for handling and
coordinating such things with the other distros).

But it would be much more efficient if GDB could have a documented
security issue reporting mechanism and document what kind of issues
they consider just bugs that can be reported publicly.

You could take a look at binutils or elfutils for inspiration:
https://sourceware.org/cgit/binutils-gdb/tree/binutils/SECURITY.txt
https://sourceware.org/cgit/elfutils/tree/SECURITY

Cheers,

Mark

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-09-15 12:44 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-15 12:44 Security issue reporting mechanism Mark Wielaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).