Reporting flow for security issues

[Hauke Mehrtens]

On 4/26/26 08:36, Paul Spooren wrote:
> Hi,
> 
> I’m the one monitoring and responding to contact at openwrt.org <mailto:contact at openwrt.org> and the number of security reports is increasing (like with so many other projects). The repots are great (thanks!) to plainly AI slob. Since I’m not familiar with all OpenWrt components, I forward reports to maintainers and ask them to reproduce findings prior to escalating or filing CVEs.
> 
> This works, however I’m wondering if using GitHub security reports would be a better entrance and an email to contact at o.o <mailto:contact at o.o> only an “escalation”, if maintainers do not respond? Right now all OpenWrt projects are mirrored to GitHub, so discussion and CVE requesting could be handled there, without a ping-pong.
> 
> For the intermediate time, I’d subscribe to all security alerts of all projects and assign OpenWrt maintainers the duty step by step (if they haven’t setup notifications on their own yet).
> 
> Thoughts?
> 
> Best,
> Paul
Hi,

Thanks for managing the security reports and bringing this topic up.

I think using Github security reports is a good idea. Jonas said that 
only the core members can access it, even if more people can access it, 
it should be fine. We should try to release the fix soon.

The US intelligence agencies probably also have access to the private 
Github security report. We should just fix and publish it soon.

I think this has multiple advantages:
  * allow to add report into discussion
  * allows to write the full security report in private already
  * having private branch with fix
  * requesting CVE numbers over github actually works

Should the security reports directly create such an issue at github or 
still send us a mail? Are they able to do so?

We should also make sure that we do not ignore such reports and have 
some sort of process for that.

Hauke