On Wed, 20 Mar 2019 at 12:52, Rodric Rabbah <rod...@gmail.com> wrote: > > We went through a case last year where a company reported a vulnerability > to us through security@a.o and we cc'ed them on all the communications. I > think that worked well. Are you suggesting we have our own project security > mailing list that goes to both our private list and security@a.o?
Essentially, yes. This is more of a concern with larger projects (like this one) which are more likely to have to deal with security issues more often. It's essentially a way to segregate security traffic into its own mailing list rather than using up private@ for everything (which can get confusing depending on how much activity there is). -- Matt Sicker <boa...@gmail.com>
