Hi. > What's the trac-hacks disclosure policy for security issues? E.g. is there > a private list to which we should report the details, or should we raise a > public ticket and attach the patch?
There is no special policy yet. >From the point of the trac-hacks.org site admins, the author(s) and/or maintainer(s) of a plugin are responsible to fix security issues. Thus usually a reporter of security issues should try to get in contact with them first. If that fails, or - as in this case - if the plugin is currently unmaintained I think it would be best to file a ticket for the issue, describe it as detailed as possible and provide a patch, if available. That way users of the plugin have a chance of learning about the issue and apply the patch themselves, if necessary. And it allows a future maintainer to apply the patch to the repository. However, I'm all ears for any better suggestion on how these things could be handled. Bye, Mike _______________________________________________ th-users mailing list th-users@lists.trac-hacks.org https://lists.trac-hacks.org/mailman/listinfo/th-users