Hi!
> With Laminas, we use an email alias to allow researchers to report to us.
> We then post the full report as a security issue on GitHub - it's a
feature
> they rolled out late 2019/early 2020 that restricts visibility to
> maintainers initially, but allows inviting others to collaborate (we
invite
> the reporter immediately, for instance). It also creates a private branch
> for collaboration. When the patch has been merged, you can mark the issue
> public.
>
> If the plan is to move to GH anyways, this could solve security
reporting.
Not familiar with it, but on the initial look it seems it could work,
with one caveat. We have a ton of reports which aren't security issues
and some which need to be discussed before we are sure which one is that.
We could do it on the list, of course, but that creates the same dangers
as mentioned before - too easy to lose info in an un-archived ML.
--
Stas Malyshev
smalys...@gmail.com
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
