Comment by dspillett

2 days ago

> No there isn't.

Yes there is, because:

> The vulnerability is either real or it isn't.

this, exactly: sometimes the vulnerability isn't, or isn't a fraction as serious as it is made out to be because it doesn't affect any sane configuration. And the project contributors don't know this until they've wasted time looking into it, time that could be spent looking into actual serious problems.

The extra problem right now is several people/groups dropping the same set of vulnerabilities with not coordination because they've got this great new tool to garner attention and want to be first. So projects have several things to look into that turn out to be exactly the same thing.

4 comments

dspillett

Reply
tptacek  2 days ago

I have no idea what you mean by a "proper" vulnerability researcher and I find the concept faintly offensive. But what do I know?

akerl_  2 days ago

Nobody is obligating open source maintainers to accept or read these reports.

  • dspillett  1 day ago

    Plenty of people will loudly state that they are irresponsible for not looking into the reports that they send, so while that isn't a direct obligation it is certainly a punishment, via potential reputation damage¹, for not doing so.

    --------

    [1] for example, see comments elsewhere in this thread saying things like "maintainers will if they care"

    • akerl_  1 day ago

      No matter what you do, there will be some group of people that thinks you’re wrong.

      It’s up to each of us to decide which peoples’ opinions we actually care about.