[Secure-testing-team] Re: Reporting useless bugs
Martin Schulze
joey at infodrom.org
Fri Jan 12 16:45:17 CET 2007
Thijs Kinkhorst wrote:
> Dear members of the security team(s),
>
> On Fri, 2007-01-12 at 11:08 -0300, Alex de Oliveira Silva wrote:
> > Multiple vulnerabilities have been identified in phpMyAdmin, which may
> > be exploited by attackers to execute arbitrary scripting code. These
> > issues are due to unspecified input validation errors when processing
> > certain parameters, which could be exploited by attackers to cause
> > arbitrary scripting code to be executed by the user's browser in the
> > security context of an affected Web site.
>
> Have you even read this text?
>
> In recent times, I've been receiving more bug reports against packages I
> maintain that are worded like above: they are "unspecified"
> vulnerabilities over "unspecified" vectors with "unknown" implications.
>
> Please, I appreciate it when bugs are filed, but what value do
> contentless bugs like the one above add? How can they be "important"
> when there's no information in them?
>
> How would you as a maintainer respond if I submitted a bug against his
> package with the text "there's an unknown bug somewhere in your package
> with unknown results"?
You could probably start writing 15k bugs...
Regards,
Joey
--
Beware of bugs in the above code; I have only proved it correct,
not tried it. -- Donald E. Knuth
Please always Cc to me when replying to me on the lists.
More information about the Secure-testing-team
mailing list