Got a question for y'all. Over the weekend I saw this tweet from Gina Häußge, maintainer of OctoPrint3D:
@foosel: You know, at some point low effort and/or low quality security reports with overstated severity and wrong CWEs for the sake of bounty and clout actually do become a DDOS attack on Open Source maintainer resources and an contributing factor in maintainer burnout.
And it got me wondering. Over the course of many conversations, a clear pattern has emerged. Low quality vulnerabilities seem to be a problem that many maintainers have to spend (waste?) time on.
I'm trying to get a better sense of the scale and shape of this issue, so I ask:
Are there any particular channels or platforms from which you receive a disproportionate number of low quality vulnerability reports?
Beyond that specific question, I'd love to hear what y'all's experiences and thoughts are.
Transparently, this exploration is because I want to see if this is an area where Tidelift can make life a little easier for folks.