Private Security Announcement List

27 views
Skip to first unread message

Stephen McDonald

unread,
Aug 22, 2012, 5:33:24 AM8/22/12
to mezzani...@googlegroups.com
In light of the latest security issue, I've realised that having a private address for reporting issues isn't quite enough - a channel for communicating these and their resolutions to site owners prior to the issue being made public is also needed. So I've created a new private group for security announcements: https://groups.google.com/group/mezzanine-security

So in future the process should go:

- Report issues to secu...@jupo.org (this goes to me).
- I'll assess it, and if found to be a security issue, I'll post an announcement to the private group.
- Myself or whoever can get to it first will resolve the issue, and post the fix to the private group.
- We'll then give time for people on the list to make whatever changes needed, and then release the patch and announcement on the public list.

How does that process sound? Should reports go directly to the private list for discussion?

--
Stephen McDonald
http://jupo.org

Josh Cartmell

unread,
Aug 23, 2012, 12:43:48 PM8/23/12
to mezzani...@googlegroups.com
I think that reports could go directly to the private list, but I'm not sure how that would work since it is a private list (i.e. if someone not on the list finds a security issue they wouldn't be able to post to the list).

Thanks for setting this up Steve, I think it will be a better way to handle things and allow more community involvement!

Stephen McDonald

unread,
Aug 23, 2012, 4:55:43 PM8/23/12
to mezzani...@googlegroups.com
Yeah that makes more sense. What I'll do is leave things as is for now, and I'll forward anything that comes to secu...@jupo.org directly to the private list for discussion as soon as it arrives.
Reply all
Reply to author
Forward
0 new messages