<div dir="ltr">I would like to suggest that <a href="mailto:erlang-security@erlang.org">erlang-security@erlang.org</a> setup a disclosure page on <a href="http://erlang.org">erlang.org</a> with a link to it from the home page in the footer. At Rapid7 we also post a PGP key so that researchers can encrypt their finding. You can see our disclosure page here: <a href="https://www.rapid7.com/disclosure.jsp">https://www.rapid7.com/disclosure.jsp</a>. We handle zero-day vulnerability disclosures often with outside vendor in our work on Metasploit Framework and we've helped open source contriibutors disclose to vendors. Tod Beardsley <<a href="mailto:Tod_Beardsley@rapid7.com">Tod_Beardsley@rapid7.com</a>> could help explain how he setup Rapid7's program. By the way, after the vulnerability is public, <a href="https://github.com/rapid7/metasploit-framework/pulls">https://github.com/rapid7/metasploit-framework/pulls</a> will accept pull request with a Metasploit Module that users of the software can use to test if they are vulnerable.</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 7, 2015 at 11:47 AM, Eric Skoglund <span dir="ltr"><<a href="mailto:eric@pagefault.se" target="_blank">eric@pagefault.se</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
On 05/07/2015 05:18 PM, Raimo Niskanen wrote:<br>
> On Thu, May 07, 2015 at 04:40:53PM +0200, Eric Skoglund wrote:<br>
>> I was at a meetup last night with some FOSS people and the question on<br>
>> how to handle security bugs in open source projects came up. Why this<br>
>> came up was due to a security bug that was found and there wasn't a<br>
>> proper procedure set up, leading to the bug being made public before<br>
>> everyone was properly notified.<br>
>><br>
>> I think it would be a good idea to have a discussion on how security<br>
>> issues should be handled. So that something like the above can be prevented.<br>
>><br>
>> One thing that seems like it is popular for FOSS software is to have a<br>
>> mail address specifically for security related bugs that a subset of<br>
>> maintainers have access to (curl [0] or rails [1]). It might be a good<br>
>> idea to set up <a href="mailto:security@erlang.org">security@erlang.org</a> for something like this.<br>
><br>
> There is actually an erlang-security at erlang dot org that is intended for<br>
> this purpose. security at erlang dot org goes to the website admin for<br>
> website security issues.<br>
><br>
>><br>
<br>
</span>That's great :), although I can't seem to find that information<br>
anywhere. It might be a good idea to publish this information on the<br>
website and github.<br>
<span class="HOEnZb"><font color="#888888"><br>
// Eric<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</div></div></blockquote></div><br></div>