On 24/11/2022 09:13, Mark Thomas wrote:
Hi all,
We currently receive reports from oss-fuzz to the Tomcat security list.
There is a relatively high volume of reports with a very high false
positive rate. To date, we haven't had any valid security issues reported.
Concern has been expressed that oss-fuzz is generating excessive noise
on the security list.
I'd like to propose the following solution, recently adopted by Apache
Commons.
1. Create a new, private mailing list: fuzz-testing@tomcat.a.o
2. This new list becomes the primary contact for oss-fuzz issues.
3. security@tomact.a.o remains on the CC but we disable notifications
unless the issue is explicitly starred
The new process would then be:
- issues reported to fuzz-testing@tomact.a.o
- interested PMC members subscribe to that list
- we triage issues (depending on volume this could become an issue)
- false positives are rejected
- bugs are fixed
- security issues are starred
this triggers notification of issue updates to the security list
- security issues are handled as per the usual process
This should now all be in place.
The recent deluge of messages to security@ was the primary contact and
CC list for the existing issues being updated. That should be the last
of the OSS Fuzz messages to security@ unless we star an issue during the
triage process.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
