Reporting flow for security issues
Christian Marangi (Ansuel)
ansuelsmth at gmail.com
Sun Apr 26 03:31:10 PDT 2026
Il giorno dom 26 apr 2026 alle ore 08:36 Paul Spooren
<mail at aparcar.org> ha scritto:
>
> Hi,
>
> I’m the one monitoring and responding to contact at openwrt.org <mailto:contact at openwrt.org> and the number of security reports is increasing (like with so many other projects). The repots are great (thanks!) to plainly AI slob. Since I’m not familiar with all OpenWrt components, I forward reports to maintainers and ask them to reproduce findings prior to escalating or filing CVEs.
>
> This works, however I’m wondering if using GitHub security reports would be a better entrance and an email to contact at o.o <mailto:contact at o.o> only an “escalation”, if maintainers do not respond? Right now all OpenWrt projects are mirrored to GitHub, so discussion and CVE requesting could be handled there, without a ping-pong.
>
> For the intermediate time, I’d subscribe to all security alerts of all projects and assign OpenWrt maintainers the duty step by step (if they haven’t setup notifications on their own yet).
>
> Thoughts?
Hi Paul the problem of using Github directly is for repositories like
the packages one where non-core members
have also write access. Hanlign security report and CVE might be hard
and not everyone knows the correct
procedure with reproduce it -> align with a fix -> sync with the
reporter and give correct credit.
Maybe we can tweak some permission and check if the security tab can
be limited to core member that
have access to the core repository.
I also think that we should create a wiki page with a step-by-step
guide on how to handle security report
with the usage of github CVE system.
More information about the openwrt-adm
mailing list