On 10/01/2013, at 4:17 PM, Tomas Sedovic wrote: > While it's in spirit of free and open source software to publicly report > bugs as soon as they're discovered, it's not the best thing to do with > security vulnerabilities. > > The common practice between security researchers is to notify the > developers in confidence, give them a reasonable time to fix the bug and > then release the details to public. This is called "responsible disclosure". > > It helps to minimise the risks of actual exploits happening. > > We have a specific process for reporting security-related issues, > documented on our Contact Us page: > > https://aeolusproject.org/contact.html#security-related > > In essence: > > 1. Send security vulnerabilities here: [email protected] > 2. if you want, GPG-encrypt the email using our public key: > https://aeolusproject.org/keys/aeolus-security-public-gpg-key.asc > > Please keep this in mind when you discover a new security issue. It will > only become more serious as our user base and downstream grows.
Interestingly, that link is to the old website (which last I heard shouldn't be online any more?). The new website contact page is here: http://www.aeolusproject.org/contact.html Most of the security related stuff was removed to make things simpler. + Justin > > Thanks! > Thomas -- Aeolus Cloud Evangelist http://www.aeolusproject.org
