Community
Participate
Working Groups
Most sites have a Hall of Fame to recognize security researchers who report security issues in an ethical fashion.
Bug 421097 is an example. We could use the "security" keyword and leverage Bugzilla for this.
what it means?
We will make page for security researchers.
thank you very much.. :)
hey my report is deleted as.. you post. it is patched// you say you list that publicly so.. please provide me link and tell me about hall of fame when you start it?
I just realized we had this page: http://www.eclipse.org/security/known.php
(In reply to Denis Roy from comment #6) > I just realized we had this page: > http://www.eclipse.org/security/known.php It doesn't list any names. Is that a problem?
but my report is not added into it..?
> It doesn't list any names. Is that a problem? Maybe, but my point is that we already have a basic mechanism that lists security bugs, so perhaps an easy, low-maintenance solution is to leverage Bugzilla + that page + the security keyword for all entries that come into the security mailing list. > but my report is not added into it..? It is there now. The bug was still "hidden" with the Security_Advisories group, but I removed it.
Following up with Denis idea: We could create a PHP page with a query to the Bugzilla DB for every closed and/or resolved bug with the "security" keyword. The new HOF page would list all of these bugs with the reporter.
Bugzilla can even output a query in XML, CSV or even atom feed.
(In reply to Denis Roy from comment #11) > Bugzilla can even output a query in XML, CSV or even atom feed. That should make this even easier then. We could use this? https://bugs.eclipse.org/bugs/buglist.cgi?keywords=security%2C%20&keywords_type=allwords&list_id=10907404&query_format=advanced&resolution=FIXED&title=Bug%20List&ctype=atom Should we limit this page to the website component?
For a "website" security HoF, I'd say so.
(In reply to comment #10) > We could create a PHP page with a query to the Bugzilla DB for every closed > and/or resolved bug with the "security" keyword. We already have this: http://www.eclipse.org/security/known.php (see Comment 6). > The new HOF page would list all of these bugs with the reporter. This assumes that the researcher created the bug. Many bugs come to us via different channels (e.g. the security@eclipse.org mail address). I'm not sure how we consistently do this from Bugzilla information. We can't (easily) change the reporter. Perhaps we can set the QA Contact? All of these fields require that the email address match an existing account. Researchers that contact us via security@eclipse.org may not have an account. Perhaps we can create an "HOF" keyword that indicates that the bug reporter is the individual to be honored?
Unless somebody can come up with a relatively easy way for us to consistently associate the actual responsible party with a patch, I'm inclined to close this as WONTFIX.
(In reply to Wayne Beaton from comment #15) > Unless somebody can come up with a relatively easy way for us to > consistently associate the actual responsible party with a patch, I'm > inclined to close this as WONTFIX. I'm calling it.