Handling of security reports
Hauke Mehrtens
hauke at hauke-m.de
Sun Jun 7 05:38:55 PDT 2026
On 6/7/26 13:51, Hauke Mehrtens wrote:
> Hi,
>
> I saw multiple security reports in FreeScout, but I only look into
> FreeScout every few months. On multiple security reports, the last
> response was over a week ago. Some of them are assigned to a person and
> some are not assigned.
>
> I did not look into all reports, but I found and fixed some of them
> independently already and merged the fixes into the main branch, but did
> not go further yet.
>
> I think coordinating this in FreeScout does not work very well. We
> cannot really have internal communication there, and the login also
> expires after some hours and I have to do 2FA auth again.
>
> Some reports are on GitHub, but we have 92 repositories in our
> organization with individual reporting pages.
>
> Some are here: https://github.com/openwrt/openwrt/security/advisories
> Some others are here, for example: https://github.com/openwrt/odhcpd/
> security/advisories
>
> I think the handling is not so good. How do we want to handle this?
>
> Should we directly forward them to openwrt-adm at lists.openwrt.org, so we
> can coordinate fixing them on our normal communication channel?
>
> I assume there are currently about 20 open security reports for OpenWrt
> components, probably with some overlaps.
>
> Hauke
Hi,
I think we should relax our disclosure process.
When we get a report we can just make a normal PR to the main branch and
get the fix into main in the next days. Some days later we can backport
it to the supported service branches. This reduces the effort on our
side, but the vulnerability is disclosed before we have fixed versions
of OpenWrt available. Maybe this results in some bad press about OpenWrt.
There are security reports for odhcpd from ~5 different people now and
no fix was merged because of these reports yet.
Hauke
More information about the openwrt-adm
mailing list