[erlang-questions] Reporting vulnerabilities in Erlang/OTP

Eric Skoglund eric@REDACTED
Thu May 7 16:40:53 CEST 2015


I was at a meetup last night with some FOSS people and the question on
how to handle security bugs in open source projects came up. Why this
came up was due to a security bug that was found and there wasn't a
proper procedure set up, leading to the bug being made public before
everyone was properly notified.

I think it would be a good idea to have a discussion on how security
issues should be handled. So that something like the above can be prevented.

One thing that seems like it is popular for FOSS software is to have a
mail address specifically for security related bugs that a subset of
maintainers have access to (curl [0] or rails [1]). It might be a good
idea to set up security@REDACTED for something like this.

Just my 2 cents

// Eric Skoglund

[0] http://curl.haxx.se/docs/security.html
[1] http://rubyonrails.org/security/



More information about the erlang-questions mailing list