Reporting security vulnerability

Steve Dodier-Lazaro sidnioulz at
Sun Jun 2 22:51:40 CEST 2013

Hi Shuhao,

In these cases it's always better to not give any details about the bug on
a mailing list. If people were actively looking for ways to attack an XFCE
computer, they must have just been given a hint about something. I would
recommend you privately email the main developers of the concerned package.


2013/6/2 Shuhao <shuhao at>

> Hi,
> I've discovered a medium level security vulnerability in XFCE and I'm not
> sure where I can safely report it. I don't see the option to mark the bug
> as confidential or as a security issue in Bugzilla.
> The bug is very easy to exploit (however only if you have access to the
> machine, which makes it non-critical) and is able to bypass the lock
> screen. There is a workaround available but it is uncommonly done (imo).
> The bug should also be relatively easy to fix though I do not know enough
> of the XFCE codebase to tell.
> Any pointers would be helpful.
> Cheers,
> Shuhao
> ______________________________**_________________
> Xfce4-dev mailing list
> Xfce4-dev at

Steve Dodier-Lazaro
PhD Student in Information Security
University College London
Free Software Developer
OpenPGP : 1B6B1670
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Xfce4-dev mailing list