Ask HN: Are other OS maintainers being spammed with Security Vulnerabilities?
I'm being hit with small, nitpick security vulnerabilities, like being able to IDOR profile images for other users on a self-hosted software.
Then the submitters are spamming me to release a vulnerability, despite me messaging stating the next release will trigger the release (there are no release dates for my product, but usually every 3 months).
It's becoming overwhelming. What practices are other maintainers putting in place? Is it possible to let AI analyze your messages and only show you the ones which don't contain certain keywords like "i will release vulnerability". Well these are well written security vulnerabilities with reproduction steps. It's hard to tell if it's an AI discovering or a user using AI to find issues. But suddenly, I'm having an influx of issues where-as for the past 5 years, I received maybe 5. Just this month, I've been hit with 5 low effort vulnerabilities (all very small, unlikely to expose anything of value). But it's very hard to maintain these in addition to the release work. If it has steps to reproduce, you give it to your coding agent to "fix [bug] using TDD". If it can't make a test it wasn't reproducible. I don't have any big open source projects, but why not just ignore them? Because if there are valid ones, they may impact users... It's important to do due diligence (but this takes time to validate them). A lot of things seem important in software, but we need to prioritize and compromise based on resources available. Based on what you've said so far, it seems to me that this project isn't giving you enough resources to invest in this particular problem. That's the attitude I have with my software projects. Yes. It is across most categories of software and services.