Re: Policy for posting security bug reports?

[Paul Eggert <eggert at cs dot ucla dot edu>]

On 06/23/2012 06:55 AM, Petr Baudis wrote:

>   I'd like to ask people familiar what other GNU projects, what is the
> policy there? E.g. for gcc, binutils (probably not too many security
> bugs in these two), coreutils, ...?

I report serious stuff privately, so that the first notice of
a bug is a patch installed into the master copy.

People are also welcome to report bugs via more-formal
approaches, e.g., the U.S. Computer Emergency Readiness Team
<http://www.kb.cert.org/vuls/html/report-a-vulnerability/>.
There is a formal channel between US-CERT and the GNU C
library developers.  It used to see some activity, but
the hotline hasn't rung for quite some time, presumably
since nothing has been important enough.

As for deciding how important a bug is, I normally try to
use common sense, but if one wants to be more systematic
about it triage tools are available.  See
<http://www.cert.org/blogs/certcc/2012/04/cert_triage_tools_10.html>
for a brief discussion.  (I've never used these.)