Ask HN: Are other OS maintainers being spammed with Security Vulnerabilities?

3•majora2007•1h ago

I'm being hit with small, nitpick security vulnerabilities, like being able to IDOR profile images for other users on a self-hosted software.

Then the submitters are spamming me to release a vulnerability, despite me messaging stating the next release will trigger the release (there are no release dates for my product, but usually every 3 months).

It's becoming overwhelming. What practices are other maintainers putting in place?

Comments

Guestmodinfo•1h ago

Is it possible to let AI analyze your messages and only show you the ones which don't contain certain keywords like "i will release vulnerability".

majora2007•1h ago

Well these are well written security vulnerabilities with reproduction steps. It's hard to tell if it's an AI discovering or a user using AI to find issues. But suddenly, I'm having an influx of issues where-as for the past 5 years, I received maybe 5. Just this month, I've been hit with 5 low effort vulnerabilities (all very small, unlikely to expose anything of value).

But it's very hard to maintain these in addition to the release work.

samuelknight•19m ago

If it has steps to reproduce, you give it to your coding agent to "fix [bug] using TDD". If it can't make a test it wasn't reproducible.

dubyabee2•1h ago

Yes. It is across most categories of software and services.

mmarian•1h ago

I don't have any big open source projects, but why not just ignore them?

majora2007•1h ago

Because if there are valid ones, they may impact users... It's important to do due diligence (but this takes time to validate them).

mmarian•55m ago

A lot of things seem important in software, but we need to prioritize and compromise based on resources available. Based on what you've said so far, it seems to me that this project isn't giving you enough resources to invest in this particular problem.

That's the attitude I have with my software projects.

The Essays of Michel de Montaigne Online

Rot (Return on Tokens), Product Team Health – Food for Agile Thought #548

A real-ephemeris 3D universe explorer in the browser

Fossils show ancient primates had grooming claws as well as nails (2018)

Canadian mother sues OpenAI, alleging ChatGPT led her daughter to kill herself

F-bombs don't make LLMs smarter

Long Humans

Show HN: Crowfly.golf – Zero-backend GPS round tracking (localStorage)

Think Interior Design Jobs

Show HN: AppLaunch - IOS & Android App Builder

Appeals court upholds FTX co-founder Sam Bankman-Fried's fraud conviction

IdleAds – Ads in AI's "thinking " moment, devs keep 70%+

Agent Control Plane in your database

UFO footage just released by FBI

White House negotiating preemption of state AI laws in exchange for KOSA & more

A calculator that doesn't round

Results from First Anthropic Public Record

The small web is beautiful

Closing a Mac remote session without logging out, keeps your Mac logged in [video]

Red Lobster's 37-year-old CEO bets the chain's future on AI

Elon Musk Becomes First Trillionaire as SpaceX Starts Trading

Israeli tech firm accused of targeting First Minister in election

MrBeast just hit 500M subscribers – half a billion

The Public Now Backs Nuclear Energy. What Will It Take to Make It Happen?

Confidence Sets, Confidence Intervals

The World Has Moved On

Show HN: SharkClean MCP

Overlooked Pollutants Cause About 15 Percent of Global Warming

Post-Mortems for Agent Runs

Fear of the SaaSpocalypse is tormenting techland