Reporting flow for security issues
Jonas Gorski
jonas.gorski at gmail.com
Sun Apr 26 03:40:51 PDT 2026
Hi Paul,
On Sun, Apr 26, 2026 at 8:37 AM Paul Spooren <mail at aparcar.org> wrote:
>
> Hi,
>
> I’m the one monitoring and responding to contact at openwrt.org <mailto:contact at openwrt.org> and the number of security reports is increasing (like with so many other projects). The repots are great (thanks!) to plainly AI slob. Since I’m not familiar with all OpenWrt components, I forward reports to maintainers and ask them to reproduce findings prior to escalating or filing CVEs.
>
> This works, however I’m wondering if using GitHub security reports would be a better entrance and an email to contact at o.o <mailto:contact at o.o> only an “escalation”, if maintainers do not respond? Right now all OpenWrt projects are mirrored to GitHub, so discussion and CVE requesting could be handled there, without a ping-pong.
>
> For the intermediate time, I’d subscribe to all security alerts of all projects and assign OpenWrt maintainers the duty step by step (if they haven’t setup notifications on their own yet).
>
> Thoughts?
Thanks for starting the discussion. I actually also started thinking
about how we could maybe manage this better than the current,
definitely unsustainable state.
I think having security advisories is good, and my first idea would be
to just create one for every report we get, then triage on github in
that draft advisor. Either with the reporter if they have a github
account, or relay it (not everyone will have one, or can have one).
Once we are convinced it is an actual issue, we can request a CVE
number etc.
The advisory should be on the repository that contains the code, not
the generic openwrt repository, as this enables us to create temporary
fork for easier review of the proposed fix.
Looking at https://docs.github.com/en/code-security/reference/permissions/permission-levels-for-repository-security-advisories,
AFAIU access to these security is only automatically granted to those
that are admin/owner, which are only the core OpenWrt members (we
currently have 34 members with full owner access, and I wonder if we
really should have that many, but that is a different issue ...).
AFAIU anyone else needs to be added as a collaborator to that advisory
for even seeing it, even if they have write access to the repository
(though I might misunderstand it).
That should hopefully make the security process a bit more transparent
for the core members group, and especially make it more accessible to
see which issues exist that need to be addressed (either deemed valid
and fixed, or deemed invalid and closed).
We can also consider defining a small-ish security team as a subgroup
of volunteers of core members that will do the assessment, to reduce
the "everybody can do it, thinking somebody else will do it, so nobody
does" effect. Obviously this will be mostly symbolic, since they
already have full owner access.
Best regards,
Jonas
>
> Best,
> Paul
> _______________________________________________
> openwrt-adm mailing list
> openwrt-adm at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-adm
More information about the openwrt-adm
mailing list