On Fri, Nov 19, 2021 at 9:44 PM Stanislav Malyshev <smalys...@gmail.com> wrote:
> Hi! > > > With Laminas, we use an email alias to allow researchers to report to > us. > > We then post the full report as a security issue on GitHub - it's a > feature > > they rolled out late 2019/early 2020 that restricts visibility to > > maintainers initially, but allows inviting others to collaborate (we > invite > > the reporter immediately, for instance). It also creates a private > branch > > for collaboration. When the patch has been merged, you can mark the > issue > > public. > > > > If the plan is to move to GH anyways, this could solve security > reporting. > > Not familiar with it, but on the initial look it seems it could work, > with one caveat. We have a ton of reports which aren't security issues > and some which need to be discussed before we are sure which one is that. > > We could do it on the list, of course, but that creates the same dangers > as mentioned before - too easy to lose info in an un-archived ML. > -- > Stas Malyshev > smalys...@gmail.com > It looks like GitHub has just added support for private security reports: https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/ I haven't looked into the details, but it probably makes sense to enable those on php-src and make this our official venue for security bug reports. This would allow retiring the last remaining use of bugs.php.net (well, apart from the archive of old issues, which should of course remain). Regards, Nikita
