On Tue, 2016-01-05 at 23:49 +0100, Ferenc Kovacs wrote: > that something which resonates with what Sara said and similar in nature > what we do with security@, point of contact, with trustworthy people > experienced on the topic and without any additional privileges apart of > being able to seeing the reports and being able to discuss the reported > problem and escalate if necessary.
I think there is a difference - security@ recipient list is more or less unknown (maybe we might make it more public, but please don't sidetrack this discussion) As written before[1] I think a better approach is to list individuals which can be contacted. Maybe the accused is on that list and shouldn't receive the complaint directly. In that linked message I mentioned "guidance for new comers" thee the Drupal CoC might indeed be a good starting point by, while I just scrolled over it. johannes [1] http://news.php.net/php.internals/90041
signature.asc
Description: This is a digitally signed message part
