openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Rutkowski" <mrutk...@us.ibm.com>
Subject Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting
Date Wed, 20 Mar 2019 18:21:04 GMT
As indicated, they are directed to use our private (PMC) email list as 
they should do by Apache process... having the new page makes this very 
clear...

ASF encourages the use of a PMCs private list, but also provides a 
security email list for full projects... as we are an Incubator we do not 
get one and clearly reading the page we pointed to previously (and still 
link to) we are NOT included which would cause users issues decided 
how/where to begin.  What I have added is correct and consistent with 
other projects.




From:   Rodric Rabbah <rodric@gmail.com>
To:     dev@openwhisk.apache.org
Date:   03/20/2019 12:52 PM
Subject:        Re: Added a "Security" page to website with simple, 
OW-specific instructions for vuln. reporting



We went through a case last year where a company reported a vulnerability
to us through security@a.o and we cc'ed them on all the communications. I
think that worked well. Are you suggesting we have our own project 
security
mailing list that goes to both our private list and security@a.o?

-r

On Wed, Mar 20, 2019 at 1:33 PM Matt Sicker <boards@gmail.com> wrote:

> I'm not exactly sure on the process, but I think it's important to use
> a security-specific mailing list for tracking purposes. If the reports
> don't filter through security@apache.org, it makes sense to make a
> dedicated security@ mailing list for the project.
>
> On Wed, 20 Mar 2019 at 11:57, Rodric Rabbah <rodric@gmail.com> wrote:
> >
> > Looks good to me - thanks Matt.
> >
> > -r
>
>
>
> --
> Matt Sicker <boards@gmail.com>
>





Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message