From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 Description of problem: I don't know if I have the correct version numbers in this bug report. I'm talking about the Bugzilla instance actually running at bugzilla.redhat.com. I don't happen to run Bugzilla myself. I just submitted bug 112078 to bugzilla.redhat.com which was marked as a security bug. Bugzilla then emailed me the bug report as plaintext. I don't think that's a good idea in the case of security bugs, since someone intercepting the email could use the info from the bug report to make another exploit. This pretty much defeats the purpose of enabling SSL in the bug reporting web form. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Discover a security bug in a Redhat distro 2. Report it to bugzilla.redhat.com with the usual forms, selecting "security related" as the severity Actual Results: Reporter gets a plaintext copy of your bug report Expected Results: Reporter should just get an email acknowledgement giving the bug number and URL to access it in the bugzilla system, but not giving the specifics. Another idea is to send the bug report under GPG encryption. Also, of course, the distro's security maintainers should get all security bugs in encrypted form, since those are the obvious mailboxes for attackers to monitor. Additional info:
Security bugs should also not be displayed on the public Redhat Bugzilla web site, except to the reporter and Redhat security maintainers! Sheesh!!!!
I see now that someone has manually marked 112078 as unviewable to the public. That's good, but there was a period of vulnerability, plus there was the plaintext email. The defaults should be changed so that security bugs are publicly unviewable until someone marks them viewable, and when they are unviewable the email status updates should just say there was an update (without giving details) and send the url.
Security issues found in Red Hat products that the submitter does not intend to be public should not be entered into bugzilla; our advisories state that people should contact us via secalert and encrypt sensitive emails. More details are also given on our site in how to report security issues to us: http://www.redhat.com/solutions/security/news/contact.html I'm changing this bug to be a RFE which is that the bugzilla site should state somewhere that bugzilla is not intended to be used to report new, non-public security issues to us, and point people at that URL.
Until the enhancement actually gets coded, the link to the security contact page should be incorporated into the regular bug submission form, with a warning saying sensitive stuff should be submitted using the other mechanism. Just having it in the advisories is too much stuff for reporters to remember even if they read the advisories. I'm used to what mozilla.org does, which is they simply have a check box in the submission form saying it's a security bug and should not be exposed to public view. Unless Red Hat's bugzilla is way out of sync with Mozilla's, maybe the simplest way for Red Hat to do this enhancement is merge or sync to the Mozilla code.
Our code is not *way* out of sync but it is a few minor versions behind since it is based on a different database backend and can't be synced up regularly without some hand-holding. I will look at their current code and see about incorporating there security bug changes into ours in the meantime. Also I will add a blurb about reporting security problems in a different place to the add bug pages.
I am closing this bug report as there has not been any activity on this for a while and there has been various changes made to bugzilla in the meantime. If the issue still exists, kindly reopen it. Thank you.