[erlang-questions] Reporting vulnerabilities in Erlang/OTP

otpcoder <>
Thu May 7 17:43:57 CEST 2015


On Thu, May 7, 2015 at 4:18 PM, Raimo Niskanen <
> wrote:

> On Thu, May 07, 2015 at 04:40:53PM +0200, Eric Skoglund wrote:
> > I was at a meetup last night with some FOSS people and the question on
> > how to handle security bugs in open source projects came up. Why this
> > came up was due to a security bug that was found and there wasn't a
> > proper procedure set up, leading to the bug being made public before
> > everyone was properly notified.
> >
> > I think it would be a good idea to have a discussion on how security
> > issues should be handled. So that something like the above can be
> prevented.
> >
> > One thing that seems like it is popular for FOSS software is to have a
> > mail address specifically for security related bugs that a subset of
> > maintainers have access to (curl [0] or rails [1]). It might be a good
> > idea to set up  for something like this.
>
> There is actually an erlang-security at erlang dot org that is intended for
> this purpose.  security at erlang dot org goes to the website admin for
> website security issues.
>

So is erlang-security at erlang dot org the right address to use, rather
than
Ingela or Kenneth's personal addresses?

I agree with Eric that having a formal procedure is a good idea. You should
decide on some procedure, no matter how minimal, and publish it on the
wiki. In the absence of such guidance it's very easy to assume that the
right
thing to do is to push a topic branch and issue a pull request.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150507/1e796976/attachment.html>


More information about the erlang-questions mailing list