> Not only do I get the impression that bug reports sent in this manner are not
> being acted on ...
I am under the same impression too.
When one clicks on 'https://roundup.it.su.se/jira/browse/HEIMDAL', you get
'Server not found' page.
The same happens when you click on
'https://list.sics.se/sympa/info/heimdal-discuss'.
Please, have a look at the (recent) issues on GitHub.
From: Heimdal-discuss on behalf of Sergio
Gelato
Sent: Wednesday, 30 August 2017 8:18 PM
To: heimdal-discuss@h5l.org
Subject: About the vulnerability reporting instructions on the web site
I am under the impression that Heimdal's process for reporting sensitive bugs
is broken. I am referring to the following sentence on https://www.h5l.org/ :
Heimdal<https://www.h5l.org/>
www.h5l.org
What is Heimdal? Heimdal is an implementation of Kerberos 5 (and some more
stuff) largely written in Sweden (which was important when we started writing
it, less so ...
"Security sensitive bug reports should be sent to heimdal-b...@h5l.org using
this PGP key (key id 3B81827E)."
Not only do I get the impression that bug reports sent in this manner are not
being acted on (it could be just a lack of feedback but that's also a problem),
but all subkeys of that PGP key have expired: the ones in the file on the web
site ten years ago, the newer ones available through the PGP keyservers more
recently.
The web site *is* being updated with release information so I don't understand
why it is not also being updated with contact information.