Handling of security reports
Hauke Mehrtens
hauke at hauke-m.de
Sun Jun 7 04:51:40 PDT 2026
Hi,
I saw multiple security reports in FreeScout, but I only look into
FreeScout every few months. On multiple security reports, the last
response was over a week ago. Some of them are assigned to a person and
some are not assigned.
I did not look into all reports, but I found and fixed some of them
independently already and merged the fixes into the main branch, but did
not go further yet.
I think coordinating this in FreeScout does not work very well. We
cannot really have internal communication there, and the login also
expires after some hours and I have to do 2FA auth again.
Some reports are on GitHub, but we have 92 repositories in our
organization with individual reporting pages.
Some are here: https://github.com/openwrt/openwrt/security/advisories
Some others are here, for example:
https://github.com/openwrt/odhcpd/security/advisories
I think the handling is not so good. How do we want to handle this?
Should we directly forward them to openwrt-adm at lists.openwrt.org, so we
can coordinate fixing them on our normal communication channel?
I assume there are currently about 20 open security reports for OpenWrt
components, probably with some overlaps.
Hauke
More information about the openwrt-adm
mailing list