Handling of security reports

Hauke Mehrtens hauke at hauke-m.de
Sun Jun 7 04:51:40 PDT 2026


Hi,

I saw multiple security reports in FreeScout, but I only look into 
FreeScout every few months. On multiple security reports, the last 
response was over a week ago. Some of them are assigned to a person and 
some are not assigned.

I did not look into all reports, but I found and fixed some of them 
independently already and merged the fixes into the main branch, but did 
not go further yet.

I think coordinating this in FreeScout does not work very well. We 
cannot really have internal communication there, and the login also 
expires after some hours and I have to do 2FA auth again.

Some reports are on GitHub, but we have 92 repositories in our 
organization with individual reporting pages.

Some are here: https://github.com/openwrt/openwrt/security/advisories
Some others are here, for example: 
https://github.com/openwrt/odhcpd/security/advisories

I think the handling is not so good. How do we want to handle this?

Should we directly forward them to openwrt-adm at lists.openwrt.org, so we 
can coordinate fixing them on our normal communication channel?

I assume there are currently about 20 open security reports for OpenWrt 
components, probably with some overlaps.

Hauke



More information about the openwrt-adm mailing list