Handling of security reports
Robert Marko
robimarko at gmail.com
Mon Jun 8 02:01:32 PDT 2026
On Sun, 7 Jun 2026 at 13:53, Hauke Mehrtens <hauke at hauke-m.de> wrote:
>
> Hi,
>
> I saw multiple security reports in FreeScout, but I only look into
> FreeScout every few months. On multiple security reports, the last
> response was over a week ago. Some of them are assigned to a person and
> some are not assigned.
>
> I did not look into all reports, but I found and fixed some of them
> independently already and merged the fixes into the main branch, but did
> not go further yet.
>
> I think coordinating this in FreeScout does not work very well. We
> cannot really have internal communication there, and the login also
> expires after some hours and I have to do 2FA auth again.
>
> Some reports are on GitHub, but we have 92 repositories in our
> organization with individual reporting pages.
>
> Some are here: https://github.com/openwrt/openwrt/security/advisories
> Some others are here, for example:
> https://github.com/openwrt/odhcpd/security/advisories
>
> I think the handling is not so good. How do we want to handle this?
I agree, I dont follow freescout at all.
> Should we directly forward them to openwrt-adm at lists.openwrt.org, so we
> can coordinate fixing them on our normal communication channel?
This is fine by me, it does mean that they will become public, as openwrt-adm is
publicly archived.
Regards,
Robert
>
> I assume there are currently about 20 open security reports for OpenWrt
> components, probably with some overlaps.
>
> Hauke
>
> _______________________________________________
> openwrt-adm mailing list
> openwrt-adm at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-adm
More information about the openwrt-adm
mailing list