We went through a case last year where a company reported a vulnerability to us through [email protected] and we cc'ed them on all the communications. I think that worked well. Are you suggesting we have our own project security mailing list that goes to both our private list and [email protected]?
-r On Wed, Mar 20, 2019 at 1:33 PM Matt Sicker <[email protected]> wrote: > I'm not exactly sure on the process, but I think it's important to use > a security-specific mailing list for tracking purposes. If the reports > don't filter through [email protected], it makes sense to make a > dedicated security@ mailing list for the project. > > On Wed, 20 Mar 2019 at 11:57, Rodric Rabbah <[email protected]> wrote: > > > > Looks good to me - thanks Matt. > > > > -r > > > > -- > Matt Sicker <[email protected]> >
