From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id A2E093858D1E for ; Fri, 15 Sep 2023 12:44:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A2E093858D1E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org Received: from r6.localdomain (82-217-174-174.cable.dynamic.v4.ziggo.nl [82.217.174.174]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id 5A1E63037D1B for ; Fri, 15 Sep 2023 14:44:37 +0200 (CEST) Received: by r6.localdomain (Postfix, from userid 1000) id 230D1340336; Fri, 15 Sep 2023 14:44:37 +0200 (CEST) Message-ID: <9f96f87b88a4e81e9fd564178c4ecfb1b823dcda.camel@klomp.org> Subject: Security issue reporting mechanism From: Mark Wielaard To: gdb@sourceware.org Date: Fri, 15 Sep 2023 14:44:37 +0200 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) MIME-Version: 1.0 X-Spam-Status: No, score=-3027.2 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_BARRACUDACENTRAL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi gdb hackers, Because we approve bugzilla account requests we (sourceware overseers, specifically the admin-requests team) get contacted from time to time by people wanting to report what they believe is a security issue in GDB. Although the top-level SECURITY.txt says to look under the gdb directory for a similarly named file, there is no such file: https://sourceware.org/cgit/binutils-gdb/tree/SECURITY.txt For now we have each time briefly discussed such issues on irc.libera.chat in the #gdb channel to see how people feel about forwarding a report to either the binutils team, just ask people to report the issue publicly in bugzilla or ask the reporter to contact secalert@redhat.com (which has a good reputation for handling and coordinating such things with the other distros). But it would be much more efficient if GDB could have a documented security issue reporting mechanism and document what kind of issues they consider just bugs that can be reported publicly. You could take a look at binutils or elfutils for inspiration: https://sourceware.org/cgit/binutils-gdb/tree/binutils/SECURITY.txt https://sourceware.org/cgit/elfutils/tree/SECURITY Cheers, Mark