For security reports, ASF already have a process let's not improvise Reported should send email to secur...@apache.org The process explains how to handle artifacts to reproduce the vulnerability
Security will inform the PMC private list and forward the email --cs On Wed, Mar 20, 2019 at 3:09 PM Matt Sicker <boa...@gmail.com> wrote: > On Wed, 20 Mar 2019 at 12:52, Rodric Rabbah <rod...@gmail.com> wrote: > > > > We went through a case last year where a company reported a vulnerability > > to us through security@a.o and we cc'ed them on all the communications. > I > > think that worked well. Are you suggesting we have our own project > security > > mailing list that goes to both our private list and security@a.o? > > Essentially, yes. This is more of a concern with larger projects (like > this one) which are more likely to have to deal with security issues > more often. It's essentially a way to segregate security traffic into > its own mailing list rather than using up private@ for everything > (which can get confusing depending on how much activity there is). > > > -- > Matt Sicker <boa...@gmail.com> > -- Carlos Santana <csantan...@gmail.com>