If you find a new vulnerability from Lua, you can report it, but how? This post would be helpful to those who are trying to report Lua vulnerabilities.
Lua-l
Although there is Lua github, it hasn’t opened pull request. You can use Lua-l instead. Lua-l is an active and friendly mailing list for discussing Lua. Detailed information can be found on official website. Once you subscribe Lua-l, you can see previous discussions on Lua. It not only deals with security issues but also suggestions for improvements. In order to get positive answers from others, we recommend you to write a detailed analysis of the bug and patch suggestions if it’s possible.
Once your analysis is admitted by others in Lua-l, patch will be reflected on Lua github. This may require several days as Lua github is mirrored irregularly. Bugs page on official website of Lua will also be updated with your report. Your name is also recorded. Congratulation! You now became one of the contributors to Lua.
Request for CVE
After the patch is applied to github, you can make a request for CVE. We recommend you accurately fill out the request form and make sure to give references link such as the discussion you had made in Lua-l, Lua github, and Bugs page of Lua website.