In light of the latest security issue, I've realised that having a private address for reporting issues isn't quite enough - a channel for communicating these and their resolutions to site owners prior to the issue being made public is also needed. So I've created a new private group for security announcements:
https://groups.google.com/group/mezzanine-security
So in future the process should go:
- I'll assess it, and if found to be a security issue, I'll post an announcement to the private group.
- Myself or whoever can get to it first will resolve the issue, and post the fix to the private group.
- We'll then give time for people on the list to make whatever changes needed, and then release the patch and announcement on the public list.
How does that process sound? Should reports go directly to the private list for discussion?
--
Stephen McDonald
http://jupo.org