Comment 1 Denis Roy 2013-11-05 13:25:44 EST

Bug 421097 is an example.  We could use the "security" keyword and leverage Bugzilla for this.

Comment 2 Gurjant Singh 2013-11-05 13:28:16 EST

what it means?

Comment 3 Denis Roy 2013-11-05 13:31:16 EST

We will make page for security researchers.

Comment 4 Gurjant Singh 2013-11-05 13:32:05 EST

thank you very much.. :)

Comment 5 Gurjant Singh 2013-11-07 01:13:38 EST

hey my report is deleted as.. you post. it is patched// you say you list that publicly so.. please provide me link and tell me about hall of fame when you start it?

Comment 6 Denis Roy 2013-11-27 15:23:41 EST

I just realized we had this page:
http://www.eclipse.org/security/known.php

Comment 7 Wayne Beaton 2013-11-27 16:40:55 EST

(In reply to Denis Roy from comment #6)
> I just realized we had this page:
> http://www.eclipse.org/security/known.php

It doesn't list any names. Is that a problem?

Comment 8 Gurjant Singh 2013-11-28 01:39:34 EST

but my report is not added into it..?

Comment 9 Denis Roy 2013-11-28 09:56:28 EST

> It doesn't list any names. Is that a problem?

Maybe, but my point is that we already have a basic mechanism that lists security bugs, so perhaps an easy, low-maintenance solution is to leverage Bugzilla + that page + the security keyword for all entries that come into the security mailing list.



> but my report is not added into it..?
It is there now.  The bug was still "hidden" with the Security_Advisories group, but I removed it.

Comment 10 Christopher Guindon 2015-01-19 16:53:15 EST

Following up with Denis idea:

We could create a PHP page with a query to the Bugzilla DB for every closed and/or resolved bug with the "security" keyword.

The new HOF page would list all of these bugs with the reporter.

Comment 11 Denis Roy 2015-01-19 16:54:34 EST

Bugzilla can even output a query in XML, CSV or even atom feed.

Comment 12 Christopher Guindon 2015-01-20 09:51:05 EST

(In reply to Denis Roy from comment #11)
> Bugzilla can even output a query in XML, CSV or even atom feed.

That should make this even easier then.

We could use this?

https://bugs.eclipse.org/bugs/buglist.cgi?keywords=security%2C%20&keywords_type=allwords&list_id=10907404&query_format=advanced&resolution=FIXED&title=Bug%20List&ctype=atom


Should we limit this page to the website component?

Comment 13 Denis Roy 2015-01-20 11:43:05 EST

For a "website" security HoF, I'd say so.

Comment 14 Wayne Beaton 2017-02-06 21:37:30 EST

(In reply to comment #10)
> We could create a PHP page with a query to the Bugzilla DB for every closed
> and/or resolved bug with the "security" keyword.

We already have this: http://www.eclipse.org/security/known.php (see Comment 6).

> The new HOF page would list all of these bugs with the reporter.

This assumes that the researcher created the bug. Many bugs come to us via different channels (e.g. the security@eclipse.org mail address).

I'm not sure how we consistently do this from Bugzilla information. We can't (easily) change the reporter. Perhaps we can set the QA Contact?

All of these fields require that the email address match an existing account. Researchers that contact us via security@eclipse.org may not have an account.

Perhaps we can create an "HOF" keyword that indicates that the bug reporter is the individual to be honored?

Comment 15 Wayne Beaton 2017-03-01 16:11:19 EST

Unless somebody can come up with a relatively easy way for us to consistently associate the actual responsible party with a patch, I'm inclined to close this as WONTFIX.

Comment 16 Wayne Beaton 2017-03-27 23:37:22 EDT

(In reply to Wayne Beaton from comment #15)
> Unless somebody can come up with a relatively easy way for us to
> consistently associate the actual responsible party with a patch, I'm
> inclined to close this as WONTFIX.

I'm calling it.