For most open source project, there is a well-founded project team and corporate

Question

For most open source project, there is a well-founded project team and corporate sponsorship, and a lot of active contributors. The procedure for filing bug reports are clearly documented.

However, there are also some open source project(s) that have been in existence for more than 10 years (maybe 15), and were included in all sorts of free and commercial products (OSes and linux distros, etc), and everyone just assumes it is correct, despite some parts of it in a state of despair and full of bugs.

It appears to me that the real users (programmers in-the-know) simply choose to use the library in a certain way as not to trigger the bug. Few choose to speak up.

There are also big-name companies that fix the bugs quietly (in their own products) without giving out any patches. And use that to their business advantage.

There is no leading developer. There is no information as to who are the active developers, except that you can browse the mailing list and see who has recently submitted patches, and assume that they might know someone who is helpful.

How should I handle a vulnerability case, without leaking information in a way that gives ammunition to the bad guys?

Explanation / Answer

Talk to Secunia (or any of the other bug databases), and let them handle it.

They do this on a daily basis, and probably already have a procedure for if they can't identify an appropriate contributor for a project.

(I would guess, if there's no contacts for the library itself, they'd contact major projects currently using the library, allowing any widespread software to fix/workaround any security issues, before releasing details to the public.)

Related Questions

Navigate

• Browse (All)
• Browse F
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.