How to report security related issues?

[Lucien van Wouw]

Hi,

I wonder how security issues can be reported other than the public github repository,

Is there a IQSS procedure for this ? Where can end users ( developers, dataverse maintainers, etc ) report them ?

[Philip Durbin]

From what I can tell we don't explain very well that we *don't* want security issues to be reported in public such as on this mailing list, the GitHub issue tracker, Twitter, IRC, etc.

Rather, please send anything security-related to sup...@dataverse.org which will create a private ticket in the IQSS/HMDC ticket tracker at https://help.hmdc.harvard.edu

Let me see what I can do about documenting this properly (and perhaps setting up a dedicated email address). I'm looking at sites like the ones below but if anyone has a favorite writeup of how to report security vulnerabilities, please let us know:

- https://www.oracle.com/support/assurance/vulnerability-remediation/reporting-security-vulnerabilities.html
- http://www.postgresql.org/support/security/
- https://access.redhat.com/security/team/contact

I added a card for this task: https://trello.com/c/xiTCfbfd/23-how-to-report-security-issues

Thanks!

Phil

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/31b75433-f517-48c0-acef-78a955abab70%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin