Respecting maintainer time should be in security policies
9 hours ago
- #Open Source
- #Maintainers
- #Security
- Generative AI tools are leading to longer vulnerability reports, making triaging more difficult for open source maintainers.
- Maintainers find lengthy reports time-consuming and stressful, regardless of whether the vulnerability is genuine.
- David Lord, maintainer of Flask and Pallets, emphasizes the importance of security reports respecting maintainer time.
- Proposal: Security policies should require initial reports to be concise to save maintainer time.
- Example policy requirements can be added without directly mentioning LLMs or generative AI.
- Reports not meeting the policy can be returned to the reporter with a canned response.
- Vulnerability reporters often provide excessive detail to reduce back-and-forth, but should adapt to project needs.
- Many reporters act in good faith; maintainers should use discretion when enforcing policy requirements.