Hi, On Wed, Mar 20, 2019 at 7:21 PM Matt Rutkowski <[email protected]> wrote: > > ...As indicated, they are directed to use our private (PMC) email list as > they should do by Apache process... having the new page makes this very > clear...
Did you find ASF instructions to use private@ for security reports? I think the recommendation is to either use [email protected] or a project-specific security@ list - if you look at http://www.apache.org/security/projects.html all addresses are security@ The goal is for the ASF security team to have an overview on security reports, to be able to take action if a PMC becomes unresponsive. I *think* security@ lists are handled in a way that provides that oversight, but private@ lists are not. At this point my recommendation is to use [email protected] until a project-specific security@ list is needed, if volume increases for example. -Bertrand
