Hi friends,
One of the remaining steps to make us reach 100% "CII best practices", is to
make sure we document how we deal with security problems and provide a way for
users to report such problems without immediately disclosing them to the
public.
I've written a suggested "security process" for how to handle these sort of
problems and I've set up an email alias (libssh2-secur...@haxx.se) with a
closed list of receivers to which suspected vulerabilities can be reported.
The process is my *suggested* approach and I'm interested in feedback and
comments to make sure we all agree on it. It is right now already easily
browsable here:
https://github.com/libssh2/libssh2/blob/master/docs/SECURITY.md
There should be very few surprises in that. It is basically the same document
I've used in the curl project for many years. I stole it from there with
permission since I wrote the original =)
I'll make it viewable from the web site too in a day or two, depending on the
feedback here.
--
/ daniel.haxx.se
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
