As indicated, they are directed to use our private (PMC) email list as they should do by Apache process... having the new page makes this very clear...
ASF encourages the use of a PMCs private list, but also provides a security email list for full projects... as we are an Incubator we do not get one and clearly reading the page we pointed to previously (and still link to) we are NOT included which would cause users issues decided how/where to begin. What I have added is correct and consistent with other projects. From: Rodric Rabbah <[email protected]> To: [email protected] Date: 03/20/2019 12:52 PM Subject: Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting We went through a case last year where a company reported a vulnerability to us through [email protected] and we cc'ed them on all the communications. I think that worked well. Are you suggesting we have our own project security mailing list that goes to both our private list and [email protected]? -r On Wed, Mar 20, 2019 at 1:33 PM Matt Sicker <[email protected]> wrote: > I'm not exactly sure on the process, but I think it's important to use > a security-specific mailing list for tracking purposes. If the reports > don't filter through [email protected], it makes sense to make a > dedicated security@ mailing list for the project. > > On Wed, 20 Mar 2019 at 11:57, Rodric Rabbah <[email protected]> wrote: > > > > Looks good to me - thanks Matt. > > > > -r > > > > -- > Matt Sicker <[email protected]> >
