JLLeitschuh commented on PR #162: URL: https://github.com/apache/maven-scm/pull/162#issuecomment-1242417432
> No, we expect report through official ASF channel. Unfortunately, due to the amount of time this takes, this is not possible for me to do across every repository. I created 47 OSS pull requests to fix this vulnerability across the java ecosystem. Similarly, I opened 115 pull requests to fix Zip Slip across the java ecosystem. It's impractical for me to manually report this vulnerability to every single project that is impacted. I have a long history of disclosing to the ASF, it is a process that I'm familiar with. However when attempting to fix vulnerabilities at-scale what you are requesting is not possible. Has an internal ticket been created or has this issue been just closed until someone follows the "proper process"? CC: @asfsecurity -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
