On Thu, Nov 24, 2022 at 10:14 AM Mark Thomas <[email protected]> wrote: > > Hi all, > > We currently receive reports from oss-fuzz to the Tomcat security list. > There is a relatively high volume of reports with a very high false > positive rate. To date, we haven't had any valid security issues reported. > > Concern has been expressed that oss-fuzz is generating excessive noise > on the security list. > > I'd like to propose the following solution, recently adopted by Apache > Commons. > > 1. Create a new, private mailing list: [email protected] > > 2. This new list becomes the primary contact for oss-fuzz issues. > > 3. [email protected] remains on the CC but we disable notifications > unless the issue is explicitly starred > > The new process would then be: > > - issues reported to [email protected] > - interested PMC members subscribe to that list > - we triage issues (depending on volume this could become an issue) > - false positives are rejected > - bugs are fixed > - security issues are starred > this triggers notification of issue updates to the security list > - security issues are handled as per the usual process > > Thoughts?
+1 Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
