openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <>
Subject Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting
Date Thu, 21 Mar 2019 13:06:07 GMT

On Wed, Mar 20, 2019 at 7:21 PM Matt Rutkowski <> wrote:
> ...As indicated, they are directed to use our private (PMC) email list as
> they should do by Apache process... having the new page makes this very
> clear...

Did you find ASF instructions to use private@ for security reports?

I think the recommendation is to either use or a
project-specific security@ list - if you look at all addresses are

The goal is for the ASF security team to have an overview on security
reports, to be able to take action if a PMC becomes unresponsive. I
*think* security@ lists are handled in a way that provides that
oversight, but private@ lists are not.

At this point my recommendation is to use until a
project-specific security@ list is needed, if volume increases for


View raw message