Communication with MaherAzzouzi in #1 of MaherAzzouzi/CVE-2022-37703

gistfile1.txt

I attempted to get MaherAzzouzi to report their apparent information
disclosure vulnerability to Amanda upstream via an issue in their
CVE-2022-37703 repository. They apparently seemed to think that MITRE
automatically reports issues to upstreams, which is not the
case. Eventually, they deleted the issue after threatening to
irresponsibly disclose two local privilege escalations in Amanda, all
without any apparent attempt to notify upstream. As far as I can tell,
that hasn't happened yet.

I've asked Github to make the content of the issue public for
history's sake, but I've not gotten any response to the support ticket
so far. I have their responses to my comments in the issue from the
email notifications, and I've included them here for history's
sake. Some of my responses are included inline in their responses.

Date: Wed, 14 Sep 2022 01:01:29 -0700
From: MaherAzzouzi <notifications@github.com>
Reply-To: MaherAzzouzi/CVE-2022-37703 <reply+AG6WGNM6GIM7G7HSU2O6UOOBF3FOTEVBNHHFDSME7U@reply.github.com>

Hey,

Yes it was reported to CVE mitre, and I guess they reported it to Amanda.

Date: Wed, 14 Sep 2022 05:55:24 -0700
From: MaherAzzouzi <notifications@github.com>
Reply-To: MaherAzzouzi/CVE-2022-37703 <reply+AG6WGNK3SHSSARFAC3HWV2GBF4H4ZEVBNHHFDSME7U@reply.github.com>

Sometimes it's hard to get the security team e-mail, the vulnerability gets patched after a CVE is released.
I will try to get their official e-mail and report it.
Still there are two LPEs to root for Amanda that should be patched (not yet disclosed).
Thank you!

Date: Wed, 14 Sep 2022 06:07:56 -0700
From: MaherAzzouzi <notifications@github.com>
Reply-To: MaherAzzouzi/CVE-2022-37703 <reply+AG6WGNIU6HDELSYXXNJARO6BF4JLZEVBNHHFDSME7U@reply.github.com>

No exploit is released until now, and I just sent an e-mail to amanda-hackers-request@amanda.org.
Thanks for your involvement.

Date: Mon, 19 Sep 2022 12:37:59 -0700
From: MaherAzzouzi <notifications@github.com>
Reply-To: MaherAzzouzi/CVE-2022-37703 <reply+AG6WGNPN4O5P5ZPOSDGFX4GBGYC2PEVBNHHFDSME7U@reply.github.com>

Closed #1 as completed.

Date: Mon, 19 Sep 2022 13:12:24 -0700
From: MaherAzzouzi <notifications@github.com>
Reply-To: MaherAzzouzi/CVE-2022-37703 <reply+AG6WGNO7TJTALISD224DRRGBGX72REVBNHHFDSME7U@reply.github.com>

I will just drop two other LPE tonight.

On Mon, Sep 19, 2022, 20:57 ajakk ***@***.***> wrote:

> I wouldn't call this completed. I don't see any message to the mailing
> list since June <https://marc.info/?l=amanda-hackers>.
>
> Did you actually send a message to the mailing list or did you send to
> ***@***.***? That address is used for controlling
> subscription and unsubscription to the mailing list. It isn't the mailing
> list itself.
>
> —
> Reply to this email directly, view it on GitHub
> <https://github.com/MaherAzzouzi/CVE-2022-37703/issues/1#issuecomment-1251481184>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AO2Y5LUVQ7VBKLGNUMGRMOLV7DAQZANCNFSM6AAAAAAQL5WJYE>
> .
> You are receiving this because you modified the open/close state.Message
> ID: ***@***.***>
>

Date: Mon, 19 Sep 2022 13:25:29 -0700
From: MaherAzzouzi <notifications@github.com>
Reply-To: MaherAzzouzi/CVE-2022-37703 <reply+AG6WGNK46ZU5LUWM6Z3K3YOBGYIMTEVBNHHFDSME7U@reply.github.com>

I take security seriously, but I did look for the e-mail to report those the time I found the bugs, but didn't found any.
Again, please if you know the e-mail just send it here instead of just opening random issues.
I will be thankful if you send the e-mail where I should report :)

It seems that he's blocked me on GitHub, so I can't help him make upstream reports anymore.