Launchpad itself

Censorship: why were permissions to access bug revoked from reporter?

Asked by halfdog

It seems that I as the reporter of a security bug was removed from the access list after submitting POC hints to the issue. When accessing the report, I get

  Not allowed here
  Sorry, you don't have permission to access this page.

The entry vanished also from my personal bug list. I understand, that launchpad attempts to cut down access to security issues, but is it wise, to throw out the reporter without email notice or alike?

An, is there a possibility to get hands on the bug again? At the moment, I do not even know, who is working on it currently?

Last but not least, are there any launchpad guidelines, who is allowed to revoke or grant read permissions to bugs?

Question information

Language:
English Edit question
Status:
Answered
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Michael Hudson-Doyle (mwhudson) said : 		#1

This isn't really a launchpad question per se, it's a use of launchpad question -- so you'll need to take it up with the security contact for the project/package you reported the bug for.

Revision history for this message
halfdog (halfdog) said : 		#2

Thanks, for your response. I'm currently under way doing that. The only thing is, that I haven't got all details right until yet to find the answer at the moment it seems, that I've unsubscribed myself, the only two strange things are:

* I cannot remember to have done so, it must have happened accidentially or someone else tricked me in
* It could be, that I have added a note after I was removed from the security bug, which should be forbidden by the launchpad security system, I guess (depends on timezone of timestamps)

At the moment I am trying to find out, which timezone the launchpad activity log information is in and if it is really possible to add notes to bug reports, one cannot see (only by asking around of course ...).

Revision history for this message
halfdog (halfdog) said : 		#3

So I guess the issue is closed on the ubuntu project side, since there was no mail response from them for more than one week. There are still some issues on launchpad side that could be addressed:

* The unsubscribe-button in security issues is a cry for troubles: It seems, that it would unsubscribe a user without warning, but he has no possibility to get back in again. It might be that I triggered a click accidentially, since touchpads without perfect palm-detection are always a good candiate for that. Hence unsubscribe from security issues should display a warning and confirm dialog to reduce this risk

* The inconsistent activity log in launchpad may give rise to conspiracy theories because the show only some entries, e.g. "unsubscribed" but not "subscribed". They also do not contain activities like "note added" or "edited", which would be very helpful.

* The inconsistent time/date stamps worsen the problem. It might be a good idea to use simple (user-friendly) timestamps in the normal (main) bug view, the activity log should display full precision timestamps always including the timezone.

* I got no answer if there might be a security flaw in the way security bug access is handled. If yes, it might be possible to use the flaw to get access to these issues after enumerating all security issues by checking the bugid space. Exploitation would need additional XSS or social engineering.

Can you help with this problem?

Provide an answer of your own, or ask halfdog for more information if necessary.

To post a message you must log in.