2014-03-10 9:34 GMT-03:00 Simon McVittie <s...@debian.org>: > (Please keep the bug's email address in Cc with any information on this > bug that is intended to be public.) >
Sorry about that! > > On 10/03/14 12:06, Gustavo Grieco wrote: > > Have you already reported this bug to mp3gain's upstream developer > > <http://mp3gain.sourceforge.net/> > > > > I haven't. Should I now? > > You probably know more about this bug and its implications than I do, so > yes, please do. Please reply to this bug report with a link to the > upstream bug. > I was waiting to receive a response from the package maintainer to submit a bug report to the upstream developer. Anyway, the upstream report is here: https://sourceforge.net/p/mp3gain/bugs/36/ > > I must admit I'm rather surprised to see a member of a "team working in > vulnerability research" reporting this as a public bug to Debian without > having notified either upstream or the Debian security team privately. > Please consider practising responsible disclosure in future > vulnerability reports. > I had an interesting discussion with one of the member of the Debian Security team, and he told me not to email them with 'private' reports if the vulnerability disclosed wasn't very important in terms of surface of attack (like the some other bugs we reported recently). I doubt that was a 'serious' vulnerability (mp3gain is not a very popular program and it is very unlikely that someone will run it with an untrusted mp3 file) so i started reporting it to the Debian BTS publicly as they suggested me (upstream was another option they told me).
