On Wed, 20 Mar 2019 at 12:52, Rodric Rabbah <[email protected]> wrote: > > We went through a case last year where a company reported a vulnerability > to us through [email protected] and we cc'ed them on all the communications. I > think that worked well. Are you suggesting we have our own project security > mailing list that goes to both our private list and [email protected]?
Essentially, yes. This is more of a concern with larger projects (like this one) which are more likely to have to deal with security issues more often. It's essentially a way to segregate security traffic into its own mailing list rather than using up private@ for everything (which can get confusing depending on how much activity there is). -- Matt Sicker <[email protected]>
