Hi, There is now a mechanism in place for reporting security bugs via Bugzilla. If you look at the footer, you should now see a 'Report security bug' link. This allows someone who has a Bugzilla account to enter a bug in a new BZ product called 'Koha security'.
Bugs reported in this fashion are visible only to the reporter and to members of a Koha security group currently consisting of the following individuals: Bernardo Gonzalez Kriegel Chris Cormack Frère Sébastien Marie Fridolin SOMERS Galen Charlton Ian Walls Jared Camins-Esakov Jonathan Druart Katrin Fischer Kyle M Hall M. de Rooy MJ Ray (software.coop) Paul Poulain Robin Sheat Tomás Cohen Arazi The idea is that members of the security group would be responsible for evaluating the bugs, fixing them (and drawing in outside help if needed), and releasing the fixes. Once a fix is released, the relevant bug(s) would be sanitized to remove mention of direct exploits, then have their products changed to 'Koha' so that they would be visible to all. This is not set in stone, so I invite discussion of the security policy. I also invite anybody who may have been sitting on security bugs for lack of a means to report them securely to go ahead and use BZ. Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: g...@esilibrary.com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
