[f3d46600-b66e]

I will point out that finding and root causing a bug (and perhaps writing a test) is THE contribution. Very often fixing the bug, once all unknowns have been resolved, is trivial.

Many times a one line fix takes days off debugging and analysis. Seems like this was the case here, since the original bug was open for 6 years.

[jacquesm]

And indeed, they received the proper accreditation for that. As well as the mailing list entries which are there for all to see.

[bitcharmer]

"Reported-by" reads like: "this person mentioned the problem to us". In this case he did all the heavy lifting which is like 95% of the work. How is reported-by a proper accreditation? I feel like many commenters here never had to debug any complex or subtle, hard-to reproduce bugs. Either that or there are many assholes on this site.

[jacquesm]

Well, maybe there should be a 'contributed an improperly signed patch with issues' tag that would cover the situation. But in the case of mailing to a security list your general expectations should be to hope that it will be included, and hopefully speedily.