Public vs Private disclosure

Hi Devs

I am wondering what your opinions are when it comes to disclosing security issues on GitHub.

Do you side with the 'responsible disclosure' process, or would you prefer to disclose in the open?

I would love to hear the opinion of users and maintainers, let's have a debate!

🙌

Comments

[Jæk]

To get us started, here are some of my thoughts...

1. Responsible disclosure is important when the potential impact of a vuln is large.
2. Responsible disclosure can allow maintainers to hide from the issue.
3. Public disclosure can act as a call to action for the community
4. Public disclosure puts the maintainer on a timeline meaning they need to react quickly (can be seen as both bad and good)

In my opinion, both are necessary for different use cases and depending on the size of the package. But, if I had to pick one, I think I would side with public disclosure when talking about open source packages, as it is hard to find an attack vector when the package isn't tied to a specific organization, and so the benefit of open disclosure (for me) outways the negative effect it could possibly have.

Feel free to fight me on any of this...