On 9/18/25 05:03, Daniel Stenberg via curl-library wrote: > Hello, > > Frank brought a relevant question on IRC as a follow-up to the recent > addition > we did to the vulnerability disclosure document: how to act under a "major > incidient": > > https://curl.se/dev/vuln-disclosure.html#curl-major-incident-response > > When such an incident happens in a remote future. How can external parties > tell who is legitimate spokes person for the project and the curl security > team? > > The document suggests all communication to go through the security@ email > address, so a reply to an email sent there should of course indicate that the > person replying is part of the security team, but can we improve this? > (Especially if the incident involves bringing down curl.se infrastructure.) > > I realize we can have an elaborate setup with cross-signed PGP keys, but I > fear the complexity of that might risk that we realize by the time we want to > use it that it doesn't actually work... > > Right now, we don't even publish the official list of curl security team > member names. Even though they can be figured out with high accuracy if you > just read enough disclosed hackerone reports. > > How do other organizations handle this? The best approach I know of is the Qubes Security Pack: https://github.com/QubesOS/qubes-secpack. It's also adopted by Dasharo, and the Qubes Security Bulletin format is used as the bases for Ledger's bulletins.
Disclaimer: I am a user of Qubes OS, and also a former paid developer. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
