Launchpad private security bug report trasmitted in open e-mail
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
New
|
Undecided
|
Unassigned |
Bug Description
This bug exists within Launchpad itself.
Earlier today I filed a bug report with security vulnerability option checked. (See https:/
By default security vulnerability issues are supposed to be kept private. A few minutes after filing the bug report, I received an e-mail confirmation. The confirmation was sent in an open / unencrypted e-mail! Fortunately, my bug report did NOT reveal a significant security vulnerability, otherwise it may have been possible for someone to intercept the e-mail and take advantage of whatever vulnerability was disclosed in the private bug report.
Note that I later converted my original bug report to public, but the e-mail I received was clearly marked private as shown by this snippet from the confirmation e-mail:
*** This bug is a security vulnerability ***
Private security bug reported:
I might suggest that suitable lanuchpad code (I have no idea what) be modified to prevent propagation of private security vulnerability bug reports via open / unencrypted e-mail. Security vulnerability bug reports marked private should remain within launchpad. If e-mail is to be used, it should be done only with appropriate individuals using suitable encryption methods.
no longer affects: | ubuntu |
I can confirm that I just received an e-mail confirmation of this very private security bug report minutes after it was filed.