> On May 13, 2019, at 12:33, Jonathan Vanasco <[email protected]> wrote: > > > > On Monday, May 13, 2019 at 4:17:05 AM UTC-4, Steve Piercy wrote: > Done! > > https://pylonsproject.org/community-support.html > <https://pylonsproject.org/community-support.html> > https://trypyramid.com/documentation.html > <https://trypyramid.com/documentation.html> > > Thank you for bringing up the questions. > > > I think it would make sense to put a formal policy in place requesting > security issues be first reported via the @security email address, they will > be in contact within 72hours or so to discuss if any next steps are > appropriate, and to please refrain from public disclosure or creating report > with CVE within this timeframe. > > SqlAlchemy got hit with a few CVE's recently over some documented behaviors; > because the reporters filed a CVE first, it set off a cascade of alerts > across multiple projects that use it and packaging systems. The process was a > lot more stressful for the maintainer than it should have been. > >
There's no central authority for CVE's and whether they should or shouldn't get a CVE ID. If you ask for one, you get one. No-one verifies the reports first. Requesting CVE's up front can be annoying, but it is something that everyone has to deal with. Even if zzzeek had asked for a notice period, I doubt the person would have given it to him anyway. Would I prefer people contact us on security@? Yes, do I expect it? No, public bug reports are also fine (and that is how that colander one was reported, it was just ignored until I ran into it personally and found it again). Bert -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/265E528D-511B-4EAE-8D80-B9814D3590FF%400x58.com. For more options, visit https://groups.google.com/d/optout.
