Handling of security reports

Hauke Mehrtens hauke at hauke-m.de
Wed Jun 10 03:11:50 PDT 2026


On 6/8/26 11:01, Robert Marko wrote:
> On Sun, 7 Jun 2026 at 13:53, Hauke Mehrtens <hauke at hauke-m.de> wrote:
>>
>> Hi,
>>
>> I saw multiple security reports in FreeScout, but I only look into
>> FreeScout every few months. On multiple security reports, the last
>> response was over a week ago. Some of them are assigned to a person and
>> some are not assigned.
>>
>> I did not look into all reports, but I found and fixed some of them
>> independently already and merged the fixes into the main branch, but did
>> not go further yet.
>>
>> I think coordinating this in FreeScout does not work very well. We
>> cannot really have internal communication there, and the login also
>> expires after some hours and I have to do 2FA auth again.
>>
>> Some reports are on GitHub, but we have 92 repositories in our
>> organization with individual reporting pages.
>>
>> Some are here: https://github.com/openwrt/openwrt/security/advisories
>> Some others are here, for example:
>> https://github.com/openwrt/odhcpd/security/advisories
>>
>> I think the handling is not so good. How do we want to handle this?
> 
> I agree, I dont follow freescout at all.
> 
>> Should we directly forward them to openwrt-adm at lists.openwrt.org, so we
>> can coordinate fixing them on our normal communication channel?
> 
> This is fine by me, it does mean that they will become public, as openwrt-adm is
> publicly archived.
> 
> Regards,
> Robert
> 
Hi,

Thinking about this again, this is a bit too harsh. We should prepare 
the fixes, but I can not guarantee any more that a new binary of all 
supported OpenWrt versions is available at publication date.

We merge the fix into main branch and then immediately or some days 
later into 25.12 and 24.10. Then some days later or even weeks later we 
build a new binary.

Hauke



More information about the openwrt-adm mailing list