SeBERTis: A Framework for Producing Classifiers of Security-Related Issue Reports

Monitoring issue tracker submissions is a crucial software maintenance activity. A key goal is the prioritization of high risk, security-related bugs. If such bugs can be recognized early, the risk of propagation to dependent products and endangerment of stakeholder benefits can be mitigated. To...

Detecting Vulnerabilities from Issue Reports for Internet-Of-Things

Timely identification of issue reports reflecting software vulnerabilities is crucial, particularly for Internet-of-Things IoT where analysis is slower than non-IoT systems. While Machine Learning ML and Large Language Models LLMs detect vulnerability-indicating issues in non-IoT systems, their I...

VulRTex: a Reasoning-Guided Approach to Identify Vulnerabilities from Rich-Text Issue Report

Software vulnerabilities exist in open-source software OSS, and the developers who discover these vulnerabilities may submit issue reports IRs to describe their details. Security practitioners need to spend a lot of time manually identifying vulnerability-related IRs from the community, and the...

My Maintenance Policy

I wrote a short document describing how I maintain open source projects, to link it from my global CODEOFCONDUCT, CONTRIBUTING, and SECURITY files. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations. It got so...

CVE-2023-41969

An arbitrary file deletion in ZSATrayManager where it protects the temporary encrypted ZApp issue reporting file from the unprivileged end user access and modification. Fixed version: Win ZApp 4.3.0 and later...

Spring Shell 2.1.0-RC1 is now available

On behalf of the team and everyone who has contributed, Im happy to announce that Spring Shell 2.1.0-RC1 has been released and is now available from . Please see the release notes for more details. Thanks to all those who have contributed with issue reports and pull requests. How can you help?...

MantisBT XSS through crafted SVG documents in file_download.php

An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, filedownload.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScri...

CVE-2022-33910

CVE-2022-33910 affects MantisBT before 2.25.5. Affected area: attaching crafted SVG documents to issue reports or bugnotes. Root cause: file_download.php opens the SVG in a browser tab instead of downloading it as a file, enabling JavaScript execution in the context of the user’s browser. Impact:...

[SECURITY] Fedora 30 Update: appstream-generator-0.7.7-1.fc30

appstream-generator is a tool to generate distribution metadata from package repositories. It will extract icons, download screenshots, validate and transform the metadata, and return XML or YAML files that can be read by AppStream clients, such as software centers. It will also generate issue...