curl docs: "The curl project cannot handle vulnerability reports sent to us over email. We lose track of the reports. We cannot easily disclose them. Please do not send us reports over email."
reality: we get emailed reports almost daily
🤔
Replies:
6
Boosts:
1
@bagder Lead them to where they should file the bugs, and let the email autoreply with the same? Then don't pick up bug reports emailed to you? Maybe better boundaries are needed in times of AI bug report overflow.
@bagder hmm. What if you said, “Do not send security e-mail to security@…, it will be ignored.”? It will filter out every person (agent) who does not read the fine print and scans for e-mail addresses, and you can automatically dispose of any e-mail received there ;)
@bagder Rule #1 of writing documentation: Nobody ever reads documentation.
@bagder 95% chance that this type of person has run through this line of thought:
"I found a vuln; I need to disclose; the way you disclose is via email; find the first @-sign on the site".
@bagder "If you are going to ignore the preceding sentence and email us anyway, please use fax instead: " followed by a non-working phone number.
@bagder there's an age-old saying that goes "tough titties" 🤷♂️
