in open-source, projects

Ask HN: How do you responsibly report security bugs to open-source projects ?, Hacker News

1.7k Views


Ask HN: How do you responsibly report security bugs to open-source projects?
        (pointsby WinonaRyder(1 hour ago)hidepast|web|favorite|8 comments
I found a DOS vulnerability in an Open Source project whose maintainer seems to be MIA at the moment. I found it in-the-wild, but not as an exploit so I’ve only made minimal effort to contact said maintainer – no surprise I haven’t gotten a response so far.I don’t want to draw any attention to it in a bug report and I’m not sure it’s OK to dig up email addresses from commit logs either.

It also got me thinking: why don’t we have a Bug Bounty-like program for Open Source projects as a whole. What I mean is somewhere where we can post sensitive bugs (even for no pay) and have someone who knows what they’re doing guide the process of reporting it responsibly. I know some big projects have this, but e.g. look at the mountain of dependencies that most projects are built on – many of them barely maintained.
                

****************************

**************** Guidelines        |
        |Support        |API        | Security

        |Lists        | Bookmarklet        | Legal        |Apply to YC        |Contact            
************

(Read More) ************** (********************************************

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

US deploys 750 troops after attack on its embassy in Iraq – Sky News, Sky.com

US deploys 750 troops after attack on its embassy in Iraq – Sky News, Sky.com

Show HN: One Page Calendar 2020, Hacker News