[Secure-testing-team] References to Secunia IDs
Moritz Muehlenhoff
jmm at inutil.org
Wed Nov 19 22:13:51 UTC 2008
On Wed, Nov 19, 2008 at 04:07:27PM -0600, Raphael Geissert wrote:
> Moritz Muehlenhoff wrote:
>
> > When filing bugs, please don't ask maintainers to refer to Secunia IDs.
> > The entries in there are often poorly researched and not suitable as
> > unique references among distributions. Rather point them to the CVE
> > entry or - if not yet available - tell them that a CVE ID is going
> > to be requested.
>
> This is what I have on my template:
> > If you fix the vulnerability please also make sure to include the SA id (or
> > the CVE id when one is assigned) in the changelog entry.
>
> Do I really need to mention that "a CVE ID is going to be requested"?
>
> I believe it is better to have a Secunia ID than no other information to easily
> identify the issue. Or should I stop asking for that?
I'd write:
| If you fix the vulnerability please also make sure to include the CVE id (
| if available) in the changelog entry.
In such a case it's probably better to simply add a CVE ID to the bug log
later, the Secunia IDs are too disorganised to be useful.
Thanks,
Moritz
More information about the Secure-testing-team
mailing list