Handling of security reports

Hauke Mehrtens hauke at hauke-m.de
Sun Jun 7 05:38:55 PDT 2026


On 6/7/26 13:51, Hauke Mehrtens wrote:
> Hi,
> 
> I saw multiple security reports in FreeScout, but I only look into 
> FreeScout every few months. On multiple security reports, the last 
> response was over a week ago. Some of them are assigned to a person and 
> some are not assigned.
> 
> I did not look into all reports, but I found and fixed some of them 
> independently already and merged the fixes into the main branch, but did 
> not go further yet.
> 
> I think coordinating this in FreeScout does not work very well. We 
> cannot really have internal communication there, and the login also 
> expires after some hours and I have to do 2FA auth again.
> 
> Some reports are on GitHub, but we have 92 repositories in our 
> organization with individual reporting pages.
> 
> Some are here: https://github.com/openwrt/openwrt/security/advisories
> Some others are here, for example: https://github.com/openwrt/odhcpd/ 
> security/advisories
> 
> I think the handling is not so good. How do we want to handle this?
> 
> Should we directly forward them to openwrt-adm at lists.openwrt.org, so we 
> can coordinate fixing them on our normal communication channel?
> 
> I assume there are currently about 20 open security reports for OpenWrt 
> components, probably with some overlaps.
> 
> Hauke

Hi,
I think we should relax our disclosure process.

When we get a report we can just make a normal PR to the main branch and 
get the fix into main in the next days. Some days later we can backport 
it to the supported service branches. This reduces the effort on our 
side, but the vulnerability is disclosed before we have fixed versions 
of OpenWrt available. Maybe this results in some bad press about OpenWrt.

There are security reports for odhcpd from ~5 different people now and 
no fix was merged because of these reports yet.

Hauke



More information about the openwrt-adm mailing list