[Secure-testing-team] Reporting useless bugs
Thijs Kinkhorst
thijs at debian.org
Fri Jan 12 16:25:07 CET 2007
Dear members of the security team(s),
On Fri, 2007-01-12 at 11:08 -0300, Alex de Oliveira Silva wrote:
> Multiple vulnerabilities have been identified in phpMyAdmin, which may
> be exploited by attackers to execute arbitrary scripting code. These
> issues are due to unspecified input validation errors when processing
> certain parameters, which could be exploited by attackers to cause
> arbitrary scripting code to be executed by the user's browser in the
> security context of an affected Web site.
Have you even read this text?
In recent times, I've been receiving more bug reports against packages I
maintain that are worded like above: they are "unspecified"
vulnerabilities over "unspecified" vectors with "unknown" implications.
Please, I appreciate it when bugs are filed, but what value do
contentless bugs like the one above add? How can they be "important"
when there's no information in them?
How would you as a maintainer respond if I submitted a bug against his
package with the text "there's an unknown bug somewhere in your package
with unknown results"?
thanks,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070112/80a00767/attachment.pgp
More information about the Secure-testing-team
mailing list