On Thu, Nov 24, 2022 at 10:14 AM Mark Thomas <ma...@apache.org> wrote: > > Hi all, > > We currently receive reports from oss-fuzz to the Tomcat security list. > There is a relatively high volume of reports with a very high false > positive rate. To date, we haven't had any valid security issues reported. > > Concern has been expressed that oss-fuzz is generating excessive noise > on the security list. > > I'd like to propose the following solution, recently adopted by Apache > Commons. > > 1. Create a new, private mailing list: fuzz-testing@tomcat.a.o > > 2. This new list becomes the primary contact for oss-fuzz issues. > > 3. security@tomact.a.o remains on the CC but we disable notifications > unless the issue is explicitly starred > > The new process would then be: > > - issues reported to fuzz-testing@tomact.a.o > - interested PMC members subscribe to that list > - we triage issues (depending on volume this could become an issue) > - false positives are rejected > - bugs are fixed > - security issues are starred > this triggers notification of issue updates to the security list > - security issues are handled as per the usual process > > Thoughts?
+1 Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
