On 19 Dec 2009, at 17:19, Florian Weimer wrote: > What are your preferences for reporting potential security issues? > Shall I post them here, open a bug, or send them through > <[email protected]>?
If it is quite sensitive - please post to [email protected]; use pgp if/as needed. We'll pass it on to the developers in private. See http://www.apache.org/security/committers.html for more details. Then security@<project>.org is the next level down (which auto cc to [email protected]) - or feel free to consults the AUTHORS file to directly mail the right developer - but do cc in [email protected] org. If it not very sensitive - dev is fine. Do note that security@ usually also trigger CVE and similar escalation if not yet done. Shoot me or security@ a private mail if you need a hand with a judgment all. Thanks, Dw. http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
