Skip to content

Instantly share code, notes, and snippets.

@bagder

bagder/how-it-should-work.md

Last active February 9, 2026 22:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bagder/03684358da1215815c660c545395dfad to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bagder/03684358da1215815c660c545395dfad to your computer and use it in GitHub Desktop.
Download ZIP
curl security reporting wishlist
Raw
how-it-should-work.md

curl security reporting wishlist

  1. Incoming submissions are reports that identify security problems.
  2. The reporter needs an account on the system.
  3. Submissions start private; only accessible to the reporter and the curl security team
  4. All submissions should be disclosed and make public once dealt with. Both correct and incorrect ones.
  5. There should be a way to discuss the problem amongst security team members, the reporter and per-report invited guests.
  6. It should be possible to post security-team-only messages that the reporter and invited guests cannot see
  7. For confirmed vulnerabilities, an advisory will be produced that the system could help fascilitate
  8. If there's a field for CVE, make it possible to provide our own
  9. Closed and disclosed reports should be clearly marked as invalid/valid etc
  10. Reports should have a tagging system so that they can be marked as "AI slop" or other terms for statistical and metric reasons
  11. Abusive users should be possible to ban/block from this program
  12. Additional (customizable) requirements for the priveledge of submitting reports is appreciated (rate limit, time since account creation, etc)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment