dubbo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Huxing Zhang <hux...@apache.org>
Subject Private channel for reporting security issues
Date Thu, 01 Mar 2018 02:20:20 GMT
Hello Mentors and community,

Recently we've received a report of security vulnerability, which is
reported publicly via Github issues. However, when I want to check it
again, I found the issue deleted for unknown reason. I've no idea how
this is happened and my guess is Github delete this issue once it
detect it as a vulnerability report.

This make me thinking about how should a security issue be reported.

Given that Dubbo has already been widely used in many production
systems of various company[1], I think we should provide a private
channel for reporting security issue.

Currently we have 2 options:
1) private@dubbo.apache.org
2) security@dubbo.apache.org

Since Dubbo is just start incubating, I think 1) is enough for now. We
can switch to 2) if necessary.


[1] https://github.com/alibaba/dubbo/issues/1012
Best Regards´╝ü

View raw message