* Security issue reporting mechanism
@ 2023-09-15 12:44 Mark Wielaard
0 siblings, 0 replies; only message in thread
From: Mark Wielaard @ 2023-09-15 12:44 UTC (permalink / raw)
To: gdb
Hi gdb hackers,
Because we approve bugzilla account requests we (sourceware overseers,
specifically the admin-requests team) get contacted from time to time
by people wanting to report what they believe is a security issue in
GDB.
Although the top-level SECURITY.txt says to look under the gdb
directory for a similarly named file, there is no such file:
https://sourceware.org/cgit/binutils-gdb/tree/SECURITY.txt
For now we have each time briefly discussed such issues on
irc.libera.chat in the #gdb channel to see how people feel about
forwarding a report to either the binutils team, just ask people to
report the issue publicly in bugzilla or ask the reporter to contact
secalert@redhat.com (which has a good reputation for handling and
coordinating such things with the other distros).
But it would be much more efficient if GDB could have a documented
security issue reporting mechanism and document what kind of issues
they consider just bugs that can be reported publicly.
You could take a look at binutils or elfutils for inspiration:
https://sourceware.org/cgit/binutils-gdb/tree/binutils/SECURITY.txt
https://sourceware.org/cgit/elfutils/tree/SECURITY
Cheers,
Mark
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-09-15 12:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-15 12:44 Security issue reporting mechanism Mark Wielaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).