Tidelift ✨

Josh Simmons
Josh Simmons

Posted on

Low quality vulnerability reports?

Got a question for y'all. Over the weekend I saw this tweet from Gina Häußge, maintainer of OctoPrint3D:

@foosel: You know, at some point low effort and/or low quality security reports with overstated severity and wrong CWEs for the sake of bounty and clout actually do become a DDOS attack on Open Source maintainer resources and an contributing factor in maintainer burnout.

And it got me wondering. Over the course of many conversations, a clear pattern has emerged. Low quality vulnerabilities seem to be a problem that many maintainers have to spend (waste?) time on.

I'm trying to get a better sense of the scale and shape of this issue, so I ask:

Are there any particular channels or platforms from which you receive a disproportionate number of low quality vulnerability reports?

Beyond that specific question, I'd love to hear what y'all's experiences and thoughts are.

Transparently, this exploration is because I want to see if this is an area where Tidelift can make life a little easier for folks.

Top comments (0)