On Aug 10, 2012, at 8:08 AM, Brett Porter <br...@apache.org> wrote: > > On 10/08/2012, at 6:33 PM, Wido den Hollander <w...@widodh.nl> wrote: > >> I can think of a legitimate reason for having webmaster@ and security@, but >> where do we forward them? What do we do with them if the people who it gets >> forwarded to are on vacation? >> > > I don't know if webmaster would be useful any more (maybe just forward to the > PPMC?).
Yea…. in general, if there are general content or formatting issues with the cloudstack website, we'd prefer they send a note to the dev list or something (with a patch. :-) ). If it's more severe than that (like the site is down), there isn't anything the PMC can do anyway and most likely infrastructure already knows about it due to the monitoring stuff they have running. > For security, see [1]. The ASF has a dedicated security team for facilitating > correct handling of vulnerabilities. Vulnerabilities can be sent directly to > them (and they'll engage the PPMC privately, which is what most projects do), > or you can have a separate security list (if that group of people differs > from the PPMC - see [2]). If there is a separate list, security@ is > automatically copied, so someone is always able to respond to a report in a > timely manner. As someone that is involved with a couple projects that have gotten several security issues reported in the last few months (CVE level issues), I would suggest just starting with the normal security@a.o address and let them forward to the PPMC. One thing about the security@ addresses is that they DON'T run the spam filters on them to make sure nothing is lost. Thus, there is a lot of noise. If you can let the security team filter through that and then forward along the real issues to the PMC, that can be a big help. If the volume gets high or you need a specific subset of the PMC to be involved in security issues, a separate list can be setup, but I would suggest waiting until there really is a need for that. (unless you really do like reading through spam…..) Dan >> We should make an easy entrance for reporting security issues, but having >> e-mail addresses online tends to attract e-mail from people who seek >> support, that's what the -users list if for. > > :) > > You'll see in any security report [3] that they do get support questions, but > it doesn't seem to be a high enough volume to be a problem. I believe they > get politely redirected to the right place. > > Cheers, > Brett > > [1] http://www.apache.org/security/ > [2] http://www.apache.org/security/projects.html > [3] > http://apache.org/foundation/records/minutes/2012/board_minutes_2012_06_20.txt > (search for Attachment 6) > > -- > Brett Porter > br...@apache.org > http://brettporter.wordpress.com/ > http://au.linkedin.com/in/brettporter > http://twitter.com/brettporter > > > > > -- Daniel Kulp dk...@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
