Hello everyone here, I have recently seen the announcement that GitHub enabled security vulnerability private reporting to be managed globally for organisations:
https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability Since currently we are using security@ in our policy, I was just wondering if there are ways the GitHub reporting can be leveraged as well (Additionally to mailing lists maybe rather than replacing it for projects that already use GitHub) I am not sure if that is needed or necessary, or whether it could fit-in the current process? Or maybe we do not want to use it at all (there are certain properties of using a mailing list that make it less noisy than Github reporting I think and I believe we have some integrations that make it easier to manage than issues reported in multiple repos). Just wanted to raise it here, maybe people do not realise that as of recently this capability exists in GitHub. Or maybe someone already uses it and has some experiences to share? J. --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
