Bug #78332 Security vulnerability option
Submitted: 5 Sep 2015 1:47 Modified: 6 Sep 2015 21:46
Reporter: Roel Van de Paar Email Updates:
Status: Not a Bug Impact on me:
Category:MySQL Websites: bugs.mysql.com Severity:S2 (Serious)
Version: OS:Any
Assigned to: CPU Architecture:Any

[5 Sep 2015 1:47] Roel Van de Paar
When logging a bug, the reporter can tick yes/no on 'Does this bug report represent a security vulnerability?'

However, afterwards, the original bug reporter looses this possibility, as well as anyone external who wants to update the bug. 

It would be good if it were possible to set this flag even after logging it. For example, it may be forgotten during logging, or new findings may show it to be a security bug.

How to repeat:
Log a bug, go back in and try and mark as security bug, either as original poster or commenter. 

Suggested fix:
Allow at least original poster to update to security bug, but potentially also any logged in commenter.
[6 Sep 2015 11:58] Valeriy Kravchuk
I am definitely against the ability for anyone logged (other that Oracle engineer and, maybe, original bug reporter) to set "Security" bug flag. This will allow people with questionable intentions to hide any bug they want.

There is a dedicated team in Oracle to process community MySQL bug reports, as well as a dedicated team of security experts. They had passed proper Oracle training on what is "Security bug" and how to handle that. So, if we assume they care about doing their job properly, we should reply on them in setting and removing "Security" flag according to their current policies and nothing else (I'd like to add "common sense" here as well, but it's up to Oracle security policies makers).
[6 Sep 2015 21:46] Roel Van de Paar
Fair enough. I'll close this request as the current system more or less accommodates this (original logger can set flag, but only on creation)