Comment on page
In my daily Open Source work, I find that when someone reports a suspected security problem, assessing the possible risk and impact of the issue can take significant effort and time.
Is it a security problem? If it is a security problem, what is the severity and how should it be fixed?
Security problems should be addressed as quickly as possible to reduce the risk of harm to existing users who are using vulnerable versions. It is also important that the knowledge of a security problem and the work on the fix are done behind closed doors. When the fix is written, reviewed, tested and verified, you can announce the vulnerability and the associated fix to the world. The idea of course is to minimize the impact for vulnerable users by giving them a chance to upgrade to a fixed version as soon as the bad guys hear about the flaw and therefore can start to exploit it.