Vulnerability Reporting

Occasionally a vulnerability may be found in the OpenMAMA repository or in its dependent projects.

In the event that a major vulnerability is found:

  • An issue will be raised against the OpenMAMA project
  • There will be a mail sent to the mailing list announcing the vulnerability. The mail may also include:
    • Potential impact to users and applications
    • Reference to the OpenMAMA issue raised
    • Any CVEs related to the issue
    • Any workarounds or remedial action which may be taken
  • When necessary, a Pull Request will be raised referencing the OpenMAMA issue which reported the original vulnerability.
  • The mailing list will be advised if necessary when a new OpenMAMA release containing a fix for the vulnerability is made available.

Reporting a Vulnerability

If you think you have found a vulnerability in OpenMAMA or its dependent projects, please report it immediately by raising an issue against the OpenMAMA project. Please include where possible:

  • Details of the vulnerability
  • Languages / technologies used
  • A test harness demonstrating the vulnerability in action
  • Theoretical impact to OpenMAMA users and applications
  • Any related CVE links to the issue
  • Any potential workarounds or ways to avoid the vulnerability within applications