If we're going to use a form instead of having users mail [EMAIL PROTECTED], why do we need an email relay script? We could easily just set the email's FROM header to be [EMAIL PROTECTED], which is already set as a member of the list.
On Mon, Dec 1, 2008 at 10:22 PM, Sean Coates <[EMAIL PROTECTED]> wrote: > > Hi, > > Reading back a few threads, I see that we've not yet been able to > successfully supply a method for users to report security problems, > privately. I think this is very important to the integrity of Habari, > especially as it gains more users. > > I understand that we have some problems with respect to this and > Google Groups. > > So, I've taken the liberty of setting up > [EMAIL PROTECTED] > (my server)—it automatically rewrites the headers and sends mail to > the private list (as you probably saw with my tests). Michael (Harris) > helped me set up this first step. If this isn't cool, feel free to > remove permission for this address from the list/group. > > Unfortunately, Google Groups hacks up the email and drops a bunch of > headers (or so it seems), so I propose this the following. > > Set up a "Report a security issue" link on hp.o (and link it in trac, > if possible) that takes the user to a form that asks for: > Name (optional), Email (optional), Description of vulnerability. The > processor of this form is a script that collates the data and emails > it (in the body) to [EMAIL PROTECTED], which > relays it to the private list. > > This bypasses the groups problem, keeps the address non-public and > allows us to CC the reporter on replies (if we choose). As a policy, I > think we should mail all reporters to let them know we've received > their report. > > Thoughts? (perhaps this should be a thread on habari-dev?) > > S > > > > > -- Bob Dole - "The internet is a great way to get on the net." --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/habari-dev -~----------~----~----~----~------~----~------~--~---
