←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
298 points jwilk | 2 comments | 25 Jun 25 19:36 UTC | HN request time: 0.399s | source
1. anonzzzies ◴[26 Jun 25 15:47 UTC] No.44388545[source]
We get so many 'security advisors' trying to blackmail us for money or blackmailing us to post on some social media that we don't care about security because we ignored their emails. A small company, let alone an opensource maintainer doesn't have time for this. Most of this stuff is just not priority or not valid for our case. We had some relief years ago when we changed our internal stuff to give off productnames and version numbers that simply don't exist, but because so much is frontend now tools are so good at finger printing that, so now we do get tons of those again.
replies(1): >>44388819 #
2. jonathanlydall ◴[26 Jun 25 16:17 UTC] No.44388819[source]
Someone who runs a small company with a static content website, got an email like this, I was thinking a response like the following might be a appropriate:

Thank you for reaching out to us. Please be aware that we do not run any kind of security bounty/reward programs.

Having performed our own analysis we have not been able to identify any practically exploitable security risks.

If you have found a practically exploitable security issue with our website, please provide some form of demonstration so that we may discuss further.

I don’t think that would come across as not being concerned about security, but puts the onus on the “researcher” to prove there is a real problem.

Chances are they did some automated scan and found some out of date JavaScript library version which despite having a vulnerability, is not actually a security risk on a static content site.