Handling of security reports

Robert Marko robimarko at gmail.com
Mon Jun 8 02:01:32 PDT 2026


On Sun, 7 Jun 2026 at 13:53, Hauke Mehrtens <hauke at hauke-m.de> wrote:
>
> Hi,
>
> I saw multiple security reports in FreeScout, but I only look into
> FreeScout every few months. On multiple security reports, the last
> response was over a week ago. Some of them are assigned to a person and
> some are not assigned.
>
> I did not look into all reports, but I found and fixed some of them
> independently already and merged the fixes into the main branch, but did
> not go further yet.
>
> I think coordinating this in FreeScout does not work very well. We
> cannot really have internal communication there, and the login also
> expires after some hours and I have to do 2FA auth again.
>
> Some reports are on GitHub, but we have 92 repositories in our
> organization with individual reporting pages.
>
> Some are here: https://github.com/openwrt/openwrt/security/advisories
> Some others are here, for example:
> https://github.com/openwrt/odhcpd/security/advisories
>
> I think the handling is not so good. How do we want to handle this?

I agree, I dont follow freescout at all.

> Should we directly forward them to openwrt-adm at lists.openwrt.org, so we
> can coordinate fixing them on our normal communication channel?

This is fine by me, it does mean that they will become public, as openwrt-adm is
publicly archived.

Regards,
Robert

>
> I assume there are currently about 20 open security reports for OpenWrt
> components, probably with some overlaps.
>
> Hauke
>
> _______________________________________________
> openwrt-adm mailing list
> openwrt-adm at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-adm



More information about the openwrt-adm mailing list