Hello,
Frank brought a relevant question on IRC as a follow-up to the recent addition
we did to the vulnerability disclosure document: how to act under a "major
incidient":
https://curl.se/dev/vuln-disclosure.html#curl-major-incident-response
When such an incident happens in a remote future. How can external parties
tell who is legitimate spokes person for the project and the curl security
team?
The document suggests all communication to go through the security@ email
address, so a reply to an email sent there should of course indicate that the
person replying is part of the security team, but can we improve this?
(Especially if the incident involves bringing down curl.se infrastructure.)
I realize we can have an elaborate setup with cross-signed PGP keys, but I
fear the complexity of that might risk that we realize by the time we want to
use it that it doesn't actually work...
Right now, we don't even publish the official list of curl security team
member names. Even though they can be figured out with high accuracy if you
just read enough disclosed hackerone reports.
How do other organizations handle this?
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
