On 6/24/23 21:39, Nikita Popov wrote: > On Fri, Dec 30, 2022, at 22:39, Christoph M. Becker wrote: >> On 30.12.2022 at 22:12, Nikita Popov wrote: >> >>> On Thu, Nov 10, 2022, at 14:29, Christoph M. Becker wrote: >>> >>>> On 09.11.2022 at 23:27, Nikita Popov wrote: >>>> >>>>> It looks like GitHub has just added support for private security reports: >>>>> https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/ >>>>> >>>>> I haven't looked into the details, but it probably makes sense to enable >>>>> those on php-src and make this our official venue for security bug >>>>> reports. >>>>> This would allow retiring the last remaining use of bugs.php.net (well, >>>>> apart from the archive of old issues, which should of course remain). >>>> >>>> I agree, but maybe the security team is in favor of sticking with >>>> bugs.php.net. >>> >>> I noticed that the php-src repo does enable private vulnerability reports >>> now, and there is one sitting around without response at >>> https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv. >>> >>> Possibly this was enabled unintentionally / without coordination with the >>> security team? That should probably either be disabled again, or someone >>> needs to keep an eye on it. >> >> I had enabled that some weeks ago, since there has been a spam attack on >> bugsnet, so we could test the new feature. I probably should have >> written to list right away, or at least have kept an eye on it, but I've >> assumed to be notified about reported issues. >> >> I'll have a closer look at the rather verbose report tomorrow, if nobody >> beats me to it. >> >> Generally, I'm in favor of keeping security reports on Github enabled; >> we should stop user (not developer) comments on bugsnet as soon as >> possible; there is already more spam than useful comments for quite a >> while, and I think Github offers better feature to handle that. >> >> Regarding the access rights on security advisories: currently only php >> owners[1] may see and collaborate there. To my knowledge, most of those >> who are subscribed to the security mailing list are already in that >> group, but if need be, others might be added, or maybe it's preferable >> to create a new team for this. >> >> Thoughts? > > Security bug reports on GitHub have been active for a while now, with about > 10 reports having been processed. > > I wanted to check back whether security folks are happy with the process, and > whether it is time to make this the official channel for security reports, > which would allow us to disable issue creation on bugs.php.net entirely. (I > saw that the reports are 90% spam at this point.) > > Regards, > Nikita >
FWIW, if you press the "new issue" button on GitHub you get to this page: https://github.com/php/php-src/issues/new/choose If you choose the last option "Security Issue" you still get redirected to the bugs.php.net bugtracker. Interestingly, there's also a "Report a security vulnerability" option in the middle which brings you to the private report page on GitHub. I guess this should be updated too. Kind regards Niels -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
