Ask HN: Reporting Security Vulnerabilities to Developers

2 points by stellersjay ↗ HN
Curious on how most developers/engineers receive reported security issues in their code, service or infrastructure today? What you do and dont like about the process? What would be ideal view of seeing such submissions?

For security teams what are some pain points of being able to submit security related bugs to developers. What would be your ideal way to communicate to developers?

1 comment

[ 5.0 ms ] story [ 15.0 ms ] thread
With open source its pretty easy. You just file an issue or submit a PR.

With proprietary software its much more difficult to get the company's attention. So a lot of people will give a time frame where if the security flaw isn't fixed they will publicly disclose the vulnerability, thus forcing the company's hand.