openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@apache.org>
Subject Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting
Date Thu, 21 Mar 2019 13:06:07 GMT
Hi,

On Wed, Mar 20, 2019 at 7:21 PM Matt Rutkowski <mrutkows@us.ibm.com> wrote:
>
> ...As indicated, they are directed to use our private (PMC) email list as
> they should do by Apache process... having the new page makes this very
> clear...

Did you find ASF instructions to use private@ for security reports?

I think the recommendation is to either use security@apache.org or a
project-specific security@ list - if you look at
http://www.apache.org/security/projects.html all addresses are
security@

The goal is for the ASF security team to have an overview on security
reports, to be able to take action if a PMC becomes unresponsive. I
*think* security@ lists are handled in a way that provides that
oversight, but private@ lists are not.

At this point my recommendation is to use security@apache.org until a
project-specific security@ list is needed, if volume increases for
example.

-Bertrand

Mime
View raw message