If you have discovered a security vulnerability in Buildbot, please be careful in how you disclose it, as the security of many significant projects depends on Buildbot.

Here is what we recommend:

  1. Email the maintainer (dustin@…) directly, explaining the vulnerability in detail and any recommended fixes. If you have a full-disclosure deadline, please state it clearly.
  2. Dustin will reply as soon as possible to indicate that your email was received, and will correspond as the issue is fixed. He may copy other committers who can help solve the problem.
  3. Once a fix is ready, Dustin or another committer will take care of making patch releases for affected versions, committing the fixes, and posting an announcement to the mailing list. Unless you ask to remain anonymous, you will be credited with discovery of the vulnerability.
Last modified 4 years ago Last modified on Jun 28, 2015, 5:06:32 PM