linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* On reporting issues with potential security implications
@ 2020-03-05 10:25 Anatoly Trosinenko
  2020-03-05 11:07 ` Marcel Holtmann
  0 siblings, 1 reply; 3+ messages in thread
From: Anatoly Trosinenko @ 2020-03-05 10:25 UTC (permalink / raw)
  To: linux-bluetooth

Hello,

Many projects have some private mail list or some other policies for
reporting issues with possible security implications. I mean some bugs
that the reporter cannot qualify for sure as a "safe to publicly
disclose" (still, they can turn out to be not security-related after
review).

BlueZ, on the other hand, has a policy of "never write to them
[developers] directly" and no easily grep-able guidelines on reporting
possibly security-related issues. So, what is the preferred way for
reporting such things?

Best regards
Anatoly

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: On reporting issues with potential security implications
  2020-03-05 10:25 On reporting issues with potential security implications Anatoly Trosinenko
@ 2020-03-05 11:07 ` Marcel Holtmann
  2020-03-05 11:22   ` Anatoly Trosinenko
  0 siblings, 1 reply; 3+ messages in thread
From: Marcel Holtmann @ 2020-03-05 11:07 UTC (permalink / raw)
  To: Anatoly Trosinenko; +Cc: Bluez mailing list

Hi Anatoly,

> Many projects have some private mail list or some other policies for
> reporting issues with possible security implications. I mean some bugs
> that the reporter cannot qualify for sure as a "safe to publicly
> disclose" (still, they can turn out to be not security-related after
> review).
> 
> BlueZ, on the other hand, has a policy of "never write to them
> [developers] directly" and no easily grep-able guidelines on reporting
> possibly security-related issues. So, what is the preferred way for
> reporting such things?

unless they are high severity issues that are remotely exploitable to gain root access, I personally have no problem if they are reporting directly to the public mailing list.

For example we have test utilities and development utilities that don’t normally run in production systems. We will fix every issue reported, but they are just bugs and not security issues.

Regards

Marcel


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: On reporting issues with potential security implications
  2020-03-05 11:07 ` Marcel Holtmann
@ 2020-03-05 11:22   ` Anatoly Trosinenko
  0 siblings, 0 replies; 3+ messages in thread
From: Anatoly Trosinenko @ 2020-03-05 11:22 UTC (permalink / raw)
  To: Marcel Holtmann; +Cc: Bluez mailing list

> Hi Anatoly,
>
> > Many projects have some private mail list or some other policies for
> > reporting issues with possible security implications. I mean some bugs
> > that the reporter cannot qualify for sure as a "safe to publicly
> > disclose" (still, they can turn out to be not security-related after
> > review).
> >
> > BlueZ, on the other hand, has a policy of "never write to them
> > [developers] directly" and no easily grep-able guidelines on reporting
> > possibly security-related issues. So, what is the preferred way for
> > reporting such things?
>
> unless they are high severity issues that are remotely exploitable to gain root access, I personally have no problem if they are reporting directly to the public mailing list.
>
> For example we have test utilities and development utilities that don’t normally run in production systems. We will fix every issue reported, but they are just bugs and not security issues.

In my case the problem was I would want first get an advice on whether
some reproducer cannot signify "over the air" memory disclosure as
well (yes, I'm not familiar with Bluetooth internals...) and, if yes,
whether such disclosures are issues for BT stack. But, by doing this
via "writing to developers directly", I violate the project policy
that technically can be implemented as a spam filter as well :) So I
cannot know whether that letter was received and just postponed due to
low severity or was filtered out at all.

> Regards
>
> Marcel

Best regards
Anatoly

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-03-05 11:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-05 10:25 On reporting issues with potential security implications Anatoly Trosinenko
2020-03-05 11:07 ` Marcel Holtmann
2020-03-05 11:22   ` Anatoly Trosinenko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).