Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Trying to report security vulnerability mosquitto_pub/_sub

Hi Peter,

First off, thank you for making the report and doing so in a responsible manner.

The security@xxxxxxxxxxx email is for the Eclipse Foundation as a
whole, they don't come directly to the project. That means we rely on
and benefit from the processes in place for all of the Eclipse
projects, but it does mean that there is the chance it can take longer
than it should for those reports to make it to the project. It seems
as though this has happened in this case.

Would you be able to send the details directly to me? You can verify
my email address in all of the mosquitto source files.



On Sat, 31 Jul 2021 at 10:12, Peter Lebbing <peter@xxxxxxxxxxxxxxxxx> wrote:
> Hello Mosquitto devs and mailing list users!
> I am trying to report a security issue in mosquitto_sub and
> mosquitto_pub. Per [1], I need to do that through the project's BugZilla
> or by a mail to <security@xxxxxxxxxxx>. Since I don't think Mosquitto
> has a BugZilla (rather, it uses GitHub Issues), I sent a mail.
> I sent a mail detailing the issue with reproduction instructions on
> May 16. Since I did not hear back, I sent another message on July 10,
> asking if they could please at least reply to let me know my message had
> arrrived. I didn't get a reply to that mail either, unfortunately.
> Could you please let me know where to report a security vulnerability in
> mosquitto_sub and mosquitto_pub?
> I did just check against master and the issue is still there.
> Thanks!
> Peter.
> [1]
> mosquitto-dev mailing list
> mosquitto-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit

Back to the top