dubbo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Huxing Zhang <hux...@apache.org>
Subject Re: Private channel for reporting security issues
Date Fri, 02 Mar 2018 03:23:49 GMT
Hi Mark,

Thanks for the information.
In that case, I am +1 for security@dubbo.apache.org.

Further question: if the venerability report is related to some
project Dubbo depends on, what kind of action should Dubbo security
team take?

Should we accepted, update to the fixed version, and then announce it?

On Thu, Mar 1, 2018 at 6:24 PM, Mark Thomas <markt@apache.org> wrote:
> On 01/03/18 02:59, Echo Wang wrote:
>>>
>>> 1) private@dubbo.apache.org
>>
>>
>> +1
>
> With my mentor hat on:
>
> No.
>
> All security vulnerability reports need to be visible to the ASF
> security team and if they are reported directly to the private@ list
> that doesn't happen.
>
> The podling needs to choose which of the following addresses it wishes
> to publish for security reports and then make sure that the chosen
> address is clearly signposted:
>
> 1. security@dubbo.apache.org
> 2. security@apache.org
>
> If the podling chooses the first, the podling will need to request that
> that list is set up by INFRA. All security@<project>.apache.org lists
> are automatically copied to the ASF security team.
>
> If the podling chooses security@a.o (the ASF wide security address),
> that team will then forward reports to private@dubbo.apache.org
>
> Now is probably also a good time for the project community to review the
> security vulnerability handling process:
>
> http://www.apache.org/security/committers.html
>
> Mark

-- 
Best Regards´╝ü
Huxing

Mime
View raw message