For security reports, ASF already have a process let's not improvise Reported should send email to [email protected] The process explains how to handle artifacts to reproduce the vulnerability
Security will inform the PMC private list and forward the email --cs On Wed, Mar 20, 2019 at 3:09 PM Matt Sicker <[email protected]> wrote: > On Wed, 20 Mar 2019 at 12:52, Rodric Rabbah <[email protected]> wrote: > > > > We went through a case last year where a company reported a vulnerability > > to us through [email protected] and we cc'ed them on all the communications. > I > > think that worked well. Are you suggesting we have our own project > security > > mailing list that goes to both our private list and [email protected]? > > Essentially, yes. This is more of a concern with larger projects (like > this one) which are more likely to have to deal with security issues > more often. It's essentially a way to segregate security traffic into > its own mailing list rather than using up private@ for everything > (which can get confusing depending on how much activity there is). > > > -- > Matt Sicker <[email protected]> > -- Carlos Santana <[email protected]>
