On Mon, Aug 1, 2011 at 2:59 PM, Simon Phipps <[email protected]> wrote: > One observation about this discussion: Until there is actually a way to > make a binary deliverable from AOOo, any inbound security alerts would > probably need to be referred to LibreOffice anyway. While the Apache-only > list that's being speculatively designed here might be applicable once the > project is creating deliverables, but until then a pragmatic approach of a > temporary and inclusive list seems hugely preferable. >
It is possible that some reports would be shared. It is also possible that some would not. For example, a report might be a duplicate. It might be wrong. It might be spam. It might require a followup to clarify. It might involve code that doesn't exist in LibreOffice. The discretion with the PPMC and their delegates. The Apache Security page makes it clear to reporters that they are reporting a vulnerability to Apache where it will be discussed privately by the project team. They are not told that their report, with their name, company affiliation and other contact info, will be shared more broadly than that. So even in instances where we did share information, such as with a 3rd party expert or via a pre-notification, that initial report would only be shared in anonymized form. -Rob > S. >
