[erlang-questions] Reporting vulnerabilities in Erlang/OTP
Thu May 7 18:47:17 CEST 2015
On 05/07/2015 05:18 PM, Raimo Niskanen wrote:
> On Thu, May 07, 2015 at 04:40:53PM +0200, Eric Skoglund wrote:
>> I was at a meetup last night with some FOSS people and the question on
>> how to handle security bugs in open source projects came up. Why this
>> came up was due to a security bug that was found and there wasn't a
>> proper procedure set up, leading to the bug being made public before
>> everyone was properly notified.
>> I think it would be a good idea to have a discussion on how security
>> issues should be handled. So that something like the above can be prevented.
>> One thing that seems like it is popular for FOSS software is to have a
>> mail address specifically for security related bugs that a subset of
>> maintainers have access to (curl  or rails ). It might be a good
>> idea to set up for something like this.
> There is actually an erlang-security at erlang dot org that is intended for
> this purpose. security at erlang dot org goes to the website admin for
> website security issues.
That's great :), although I can't seem to find that information
anywhere. It might be a good idea to publish this information on the
website and github.
More information about the erlang-questions