[erlang-questions] Reporting vulnerabilities in Erlang/OTP

Luke Imhoff <>
Sat May 9 06:12:09 CEST 2015


I would like to suggest that  setup a disclosure
page on erlang.org with a link to it from the home page in the footer.  At
Rapid7 we also post a PGP key so that researchers can encrypt their
finding.  You can see our disclosure page here:
https://www.rapid7.com/disclosure.jsp.  We handle zero-day vulnerability
disclosures often with outside vendor in our work on Metasploit
Framework and we've helped open source contriibutors disclose to vendors.
Tod Beardsley <> could help explain how he setup
Rapid7's program.  By the way, after the vulnerability is public,
https://github.com/rapid7/metasploit-framework/pulls will accept pull
request with a Metasploit Module that users of the software can use to test
if they are vulnerable.

On Thu, May 7, 2015 at 11:47 AM, Eric Skoglund <> wrote:

>
>
> On 05/07/2015 05:18 PM, Raimo Niskanen wrote:
> > On Thu, May 07, 2015 at 04:40:53PM +0200, Eric Skoglund wrote:
> >> I was at a meetup last night with some FOSS people and the question on
> >> how to handle security bugs in open source projects came up. Why this
> >> came up was due to a security bug that was found and there wasn't a
> >> proper procedure set up, leading to the bug being made public before
> >> everyone was properly notified.
> >>
> >> I think it would be a good idea to have a discussion on how security
> >> issues should be handled. So that something like the above can be
> prevented.
> >>
> >> One thing that seems like it is popular for FOSS software is to have a
> >> mail address specifically for security related bugs that a subset of
> >> maintainers have access to (curl [0] or rails [1]). It might be a good
> >> idea to set up  for something like this.
> >
> > There is actually an erlang-security at erlang dot org that is intended
> for
> > this purpose.  security at erlang dot org goes to the website admin for
> > website security issues.
> >
> >>
>
> That's great :), although I can't seem to find that information
> anywhere. It might be a good idea to publish this information on the
> website and github.
>
> // Eric
>
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150508/63bd83b3/attachment.html>


More information about the erlang-questions mailing list