>The Mozilla security bug group will have a private mailing list to >which everyone in the security bug group will be subscribed. >This list will act as the well-known address to which users can submit >new security bugs.
How about having a sublist to which users can send reports of new security bugs, so not all members of the list have to recieve all the spam? >The original reporter of a security bug has the primary responsibility >for deciding when that bug will be made public; disclosure is done by >clearing the bug's "Security-Sensitive" flag, after which the bug will >revert to being an ordinary bug. > ... >However we will ask all individuals and organizations reporting >security bugs through Bugzilla to follow the voluntary guidelines >below... Before making a security bug world-readable, please provide a >few days notice to the Mozilla security bug group by sending email to >the private security bug group mailing list. Reporters are unlikely to care about the bug several months after it is fixed, and are even less likely to care enough to ask permission to open it. Reporters should have the *ability* to open bugs to the public, but they should not be relied upon to make their bugs public several months after the bugs are fixed. That responsibility should lie elsewhere (hi BenB).
