Hi, * Michael S. Gilbert <michael.s.gilbert@gmail.com> [2009-04-10 13:31]: > What is the modus operandi for submitting multiple CVEs in the same bug > report? > > I ask because I recently submitted a bug on php5 and got pushback from > the maintainer saying that I should not have submitted multiple > vulnerabilites in one report [1]. I CCed seanius to this as he was the one who said that. In general there is no consensus about that but just some maintainers prefer that. > >From my perspective, being able to submit multiple vulns makes the job > of the security team (and assistants) much easier and straightforward. > And if the maintainer prefers to track vulnerabilities individually, > then they always have the option to do so at their own leisure (via > cloning). > > It may be useful to state this as the common practice/policy in the > security-tracker overview doc. If there are no objections, I will > modify the wording to include such a statement. I personally agree with you, it makes our job a lot easier and the maintainer always has the ability to clone and retitle bugs. However there are some cases in which I refrain from reporting one big report. In case you can subdivide the vulnerabilities in parts which logically fit in the same category I think it makes more sense to split them instead of reporting one huge grave bug. I don't think there's a general answer for this. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgpewEf4gV7cN.pgp
Description: PGP signature