Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.
In June, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 17h.
I mostly spent time on tricky updates. Uploading one with literally thousands of reverse dependencies can be quite a challenge. Especially when, as is sadly common, the CVE description is (willingly?) vague, and no reproducer is available.
- CVE-2019-8339/sysdig: triage
- CVE-2019-10732/kdepim: security upload, write alternate patch for 5-y-old code
- CVE-2019-12450/glib2.0: security upload, coordinate with Mike about possible complementary fix/CVE