(lwn.net)

278 points jwilk | 1 comments | 25 Jun 25 19:36 UTC | HN request time: 0.201s | source

Show context

lukaslalinsky ◴[26 Jun 25 08:49 UTC] No.44385481[source]▶

As a maintainer of several open source projects over my life, I really hated these so called security researchers and their CVEs. I routinely fixed more impacting bugs due to user reports, but when one of these companies found a big, they made a whole theater around it, while the impact being pretty small. Pretty much any bug, except maybe a typo in the UI, is a security bug. It gets tiring very soon. And with the CVEs comes a lot of publicity and a lot of demands.

replies(1): >>44386278 #

mrweasel ◴[26 Jun 25 11:23 UTC] No.44386278[source]▶

>>44385481 #

Does the security researchers provide you with patches, or is it more frequently "there's a bug here".

In the later case I'm wondering if there's an argument to be made for "Show me the code or shut up". Simply rejecting reports on security issue which are not also accompanied by a patch. I'm think, will it devalue the CVE on the researchers resume, if the project simply says no, on the grounds of not being a fix?

Probably not.

replies(1): >>44387606 #

1. viraptor ◴[26 Jun 25 14:11 UTC] No.44387606[source]▶

>>44386278 #

CVE is an index of vulnerabilities. Whether there's a patch and who made it is largely irrelevant in that context.

↑

Libxml2's "no security embargoes" policy