hi guys, On Fri, Apr 10, 2009 at 02:27:46PM +0200, Nico Golde wrote: > > I ask because I recently submitted a bug on php5 and got pushback from > > the maintainer saying that I should not have submitted multiple > > vulnerabilites in one report [1]. > > I CCed seanius to this as he was the one who said that. In > general there is no consensus about that but just some > maintainers prefer that. i think it's probably a preference thing. however, with php it's a very strong preference on my part to have multiple reports: * often the CVE's themselves are "multiple vulnerabilities", so it's already kinda hard to track this. * often the CVE's are of wildly different severity * sometimes we neglect to immediatley fix some of the lower severity CVE's while closing others. > I personally agree with you, it makes our job a lot easier > and the maintainer always has the ability to clone and > retitle bugs. However there are some cases in which I > refrain from reporting one big report. In case you can > subdivide the vulnerabilities in parts which logically fit > in the same category I think it makes more sense to split > them instead of reporting one huge grave bug. what's the overhead on the security team's side for this, out of curiosity? if it's just the reporting process, maybe some kind of CVE-fetching wrapper script could trim that down? sean
Attachment:
signature.asc
Description: Digital signature