Hi, I think I spotted a small vulnerability while reading through a module - it seems very minor and unlikely to be exploited in practice, but it’s there and I’d like to report and fix it (if it’s even actually a problem, having a second pair of eyes would be nice).
I imagine there are probably tons of these small vulnerabilities, some seem to even just be reported publicly (e.g. #121293, which actually seems relatively major) without fixes. The security policy doesn’t give much guidance for small nits like these and it seems overkill to email some of the most busy people in the community with this kind of thing.
At this point I was tempted to just forget I ever saw anything and move on; Instead I figure it’s useful to raise this here - what should someone in this situation do, and can we elaborate on the security policy a bit to give more guidance to potential contributors?
Reporting something full-disclosure is always better than not reporting something because a more involved disclosure would take too much time.
So definitely file a nixpkgs issue in all cases!
It will allow others to judge the severity for themselves – an issue might be minor for one user, and major for another. It will also allow you and others to easily communicate
who does the fix, and whether progress is made.
If your issue is like that one (finding a general class of vulnerability, for which a detailed investigation needs to be made into how much of nixpkgs are affected), file a new issue, describe it, and perhaps mark it with the 3.skill: sprintable label if it has multiple items that can be worked down by contributors in a sharded fashion.
I think reporting issues confidentially makes sense for big, easily exploitable issues like unauthenticated remote code execution, and so on.
For “small nits”, a plain issue with the security label is best.
Oh and if the module has a maintainer, that might be a good person for non-public disclosure, though even here I wouldn’t give them too much time, probably a week before publishing at most. (And one can commonly encounter people marked as maintainers that aren’t active anymore and don’t react.)