On Monday, May 13, 2019 at 4:17:05 AM UTC-4, Steve Piercy wrote: > > Done! > > https://pylonsproject.org/community-support.html > https://trypyramid.com/documentation.html > > Thank you for bringing up the questions. > > I think it would make sense to put a formal policy in place requesting security issues be first reported via the @security email address, they will be in contact within 72hours or so to discuss if any next steps are appropriate, and to please refrain from public disclosure or creating report with CVE within this timeframe.
SqlAlchemy got hit with a few CVE's recently over some documented behaviors; because the reporters filed a CVE first, it set off a cascade of alerts across multiple projects that use it and packaging systems. The process was a lot more stressful for the maintainer than it should have been. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/084317fd-5fee-45f2-94af-fde41518628e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
