Changed it yesterday to use the gen. ASF security email ... and yes I was following completed maturity models for graduated projects that used private...
From: Bertrand Delacretaz <[email protected]> To: OpenWhisk Dev <[email protected]> Date: 03/21/2019 08:14 AM Subject: Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting Hi, On Wed, Mar 20, 2019 at 7:21 PM Matt Rutkowski <[email protected]> wrote: > > ...As indicated, they are directed to use our private (PMC) email list as > they should do by Apache process... having the new page makes this very > clear... Did you find ASF instructions to use private@ for security reports? I think the recommendation is to either use [email protected] or a project-specific security@ list - if you look at https://urldefense.proofpoint.com/v2/url?u=http-3A__www.apache.org_security_projects.html&d=DwIBaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=6zQLM7Gc0Sv1iwayKOKa4_SFxRIxS478q2gZlAJj4Zw&m=0R6F5Oxle2Ld9jyg48c26gsQ-46GIAl9Nzx2vKG_GLo&s=OKi7G5IbujZg_fen417awjeHIKacw1qsdC823tLV8dw&e= all addresses are security@ The goal is for the ASF security team to have an overview on security reports, to be able to take action if a PMC becomes unresponsive. I *think* security@ lists are handled in a way that provides that oversight, but private@ lists are not. At this point my recommendation is to use [email protected] until a project-specific security@ list is needed, if volume increases for example. -Bertrand
