Comment by endisneigh
4 years ago
I don't disagree, but the point of the research is more to point out a flaw in how OSS supposedly is conducted, not to actually introduce bugs. If you agree with what they were researching (and I don't) any sort of pre-emptive disclosure would basically contradict the point of their research.
I still think the best thing for them would be to simply create their own project and force their own students to commit, but they probably felt that doing that would be too contrived.
Pentesting has wide accepted standards and protocols.
You don't test a bank or Fortune 500 security system without buy-in of leadership ahead of time.
Those things aren’t open source and don’t take random submissions though.
In any case as I mentioned before I disagree with what they did.
Doing otherwise would likely amount to a crime in a lot of cases.