About the vulnerability reporting instructions on the web site

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

About the vulnerability reporting instructions on the web site

Sergio Gelato
I am under the impression that Heimdal's process for reporting sensitive bugs
is broken. I am referring to the following sentence on https://www.h5l.org/ :

"Security sensitive bug reports should be sent to [hidden email] using this PGP key (key id 3B81827E)."

Not only do I get the impression that bug reports sent in this manner are not
being acted on (it could be just a lack of feedback but that's also a problem),
but all subkeys of that PGP key have expired: the ones in the file on the web
site ten years ago, the newer ones available through the PGP keyservers more
recently.

The web site *is* being updated with release information so I don't understand
why it is not also being updated with contact information.

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: About the vulnerability reporting instructions on the web site

Sergio NNX

> Not only do I get the impression that bug reports sent in this manner are not being acted on .......

I am under the same impression too.

When one clicks on 'https://roundup.it.su.se/jira/browse/HEIMDAL', you get 'Server not found' page.

The same happens when you click on 'https://list.sics.se/sympa/info/heimdal-discuss'.


Please, have a look at the (recent) issues on GitHub.



From: Heimdal-discuss <[hidden email]> on behalf of Sergio Gelato <[hidden email]>
Sent: Wednesday, 30 August 2017 8:18 PM
To: [hidden email]
Subject: About the vulnerability reporting instructions on the web site
 
I am under the impression that Heimdal's process for reporting sensitive bugs
is broken. I am referring to the following sentence on https://www.h5l.org/ :


"Security sensitive bug reports should be sent to [hidden email] using this PGP key (key id 3B81827E)."

Not only do I get the impression that bug reports sent in this manner are not
being acted on (it could be just a lack of feedback but that's also a problem),
but all subkeys of that PGP key have expired: the ones in the file on the web
site ten years ago, the newer ones available through the PGP keyservers more
recently.

The web site *is* being updated with release information so I don't understand
why it is not also being updated with contact information.