Disallowing reporting without creating a dedicated account is impractical for small project

[bukka]

This is about this point in the current spec document:

vulnerability-management-spec/spec.md

Line 54 in 2e0d61a

At least one of the reporting methods listed in the Policy MUST allow reporting without creating a dedicated account.

Is there some specific point in CRA that would require this to be a MUST. I can't find it but I might missed it.

If there is no such point, I think this should change to SHOULD as many small projects just don't have resource to manage reporting in multiple platforms. Lots of projects (including bigger ones like PHP) are completely switching to GitHub advisories so this would basically require keeping (e.g. for PHP we also have email but it's just getting so much spam and it's quite annoying to manage) or creating another method for reporting. I'm not really sure if advisory can be reported by anyone without the GitHub account. In reality pretty much everyone has got that account (I know there are exceptions but they are often not worth the hassle for the project in terms of resources for additional infra).

[mrybczyn]

@bukka thank you for rising this point. The idea behind was to say it is not ok to ask for a specific account for that specific project. The idea was that email reporting or similar does not fall under this.

The CRA actually talks about anonymous reporting, for example in the recital 76 (then by a CSIRT)

With that clarification, do you have a proposal on how to reword this phrase?

[bukka]

So I have been just reading that recital 76 like 10 times and I'm not really sure this should require anonymous reporting. I will just quote that main part here:

Manufacturers of products with digital elements should put in place coordinated vulnerability disclosure policies to facilitate the reporting of vulnerabilities by individuals or entities either directly to the manufacturer or indirectly, and where requested anonymously, via CSIRTs designated as coordinators for the purposes of coordinated vulnerability disclosure in accordance with Article 12(1) of Directive (EU) 2022/2555

First of all this recital is mainly about the coordinated disclosure policy. The way how I understand additional and where requested anonymously is that it should be possible to do coordination anonymously but I'm not 100% sure to be honest as I don't see how could such coordination be useful so I might be misunderstanding the idea... :) In any case I can't see how could this be requirement for enforcing anonymous vulnerability reporting.

I understand that email is anonymous but that's exactly what most projects do not want - manage another channel for reporting security issue. From my experience such email addresses get so much spam (e.g. for security@php.net at least 95% of messages are a complete rubbish and it's getting worse). Anything that doesn't require account usually result in the spam handling issue and that's a very bad side effect.

I think you had actually good intention when adding this and it actually makes sense but it's just not practically thought through and specifically that spam issue has not been considered.

Honestly I would prefer to completely get rid of this part or if there is a feeling this should be really provided, then please at least change MUST to SHOULD.

[mrybczyn]

SHOULD means that the organization doesn't need to comply. This is why I really prefer a MUST here, but we can change the formulation.

@bukka What about: "At least one of the reporting methods listed in the Policy MUST allow reporting anonymously, with an account that the Researcher likely already has, or that they can create at no cost and rapidly. "