Shane Curcuru wrote on Thu, Jul 28, 2011 at 22:34:53 -0400: > Note that I would also recommend emailing security@ after you have a > basic proposed plan to get advice, and to strongly consider > following any advice you get. They and some of the other major > Apache projects, like Tomcat, Subversion, and httpd, should also be > able to provide good guidance on ways to alert first responders > (packagers, binary builders, whoever) in an appropriate manner > before public disclosures.
For Subversion we maintain a pre-notification list that contains admin contacts for some large installations and a script to email all of them individually (i.e., the same email message N times, to avoid BCC). (Members can see that at /pmc/subversion/security in the private repository.) We email the fix when it's ready, so they can install it ahead of time.
