If you’d like, you can upload the doc to our private Subversion space: https://svn.apache.org/repos/private/pmc/logging/
> On May 22, 2025, at 00:54, Davyd McColl <dav...@gmail.com> wrote: > > In case anyone is interested - it's nice to have some positive feedback from > a security researcher. Good work, Jan. > > There's a pdf report with the original mail which is too large to send on > this list. If anyone wants it, please let me know. > > -d > > > --- Forwarded message --- > From: Derek Zimmer de...@ostif.org > Date: May 20, 2025 22:16:47 > Subject: log4net security audit publishing > To: dav...@gmail.com > > Hello Davyd, > > I'm Derek, founder of OSTIF. We conduct security research on open source > projects for free. > > I just wanted to let you know that one of our teams reviewed log4net and > had no security findings. We also had a look at log4cxx and had a few > noteworthy things, so we will be publishing our work related to that and > the fixes that are now in place. > > Because log4net will be mentioned in the doc, even though there are no > findings related to your project, I wanted to make sure that we gave you a > heads up before publishing. If you could pass it along to Jan as well that > would be helpful. They have their email hidden in GitHub so we can't reach > out directly. > > The report which mentions your project is attached. (This was a very short > engagement, so no findings doesn't mean perfect code, but it does mean that > there's nothing low-hanging issues or obvious logic problems to the audit > team based on what log4net does and the threat model.) > > We will publish our work soon. > > Keep up the good work! > > All the best, > > Derek Zimmer > Executive Director > Open Source Technology Improvement Fund > Schedule a meeting with me anytime: https://calendly.com/derek-ostif
