This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Policy for posting security bug reports?
On 06/23/2012 06:55 AM, Petr Baudis wrote:
> I'd like to ask people familiar what other GNU projects, what is the
> policy there? E.g. for gcc, binutils (probably not too many security
> bugs in these two), coreutils, ...?
I report serious stuff privately, so that the first notice of
a bug is a patch installed into the master copy.
People are also welcome to report bugs via more-formal
approaches, e.g., the U.S. Computer Emergency Readiness Team
<http://www.kb.cert.org/vuls/html/report-a-vulnerability/>.
There is a formal channel between US-CERT and the GNU C
library developers. It used to see some activity, but
the hotline hasn't rung for quite some time, presumably
since nothing has been important enough.
As for deciding how important a bug is, I normally try to
use common sense, but if one wants to be more systematic
about it triage tools are available. See
<http://www.cert.org/blogs/certcc/2012/04/cert_triage_tools_10.html>
for a brief discussion. (I've never used these.)