[erlang-questions] Reporting vulnerabilities in Erlang/OTP

Eric Skoglund eric@REDACTED
Thu May 7 18:47:17 CEST 2015



On 05/07/2015 05:18 PM, Raimo Niskanen wrote:
> On Thu, May 07, 2015 at 04:40:53PM +0200, Eric Skoglund wrote:
>> I was at a meetup last night with some FOSS people and the question on
>> how to handle security bugs in open source projects came up. Why this
>> came up was due to a security bug that was found and there wasn't a
>> proper procedure set up, leading to the bug being made public before
>> everyone was properly notified.
>>
>> I think it would be a good idea to have a discussion on how security
>> issues should be handled. So that something like the above can be prevented.
>>
>> One thing that seems like it is popular for FOSS software is to have a
>> mail address specifically for security related bugs that a subset of
>> maintainers have access to (curl [0] or rails [1]). It might be a good
>> idea to set up security@REDACTED for something like this.
> 
> There is actually an erlang-security at erlang dot org that is intended for
> this purpose.  security at erlang dot org goes to the website admin for
> website security issues.
> 
>>

That's great :), although I can't seem to find that information
anywhere. It might be a good idea to publish this information on the
website and github.

// Eric




More information about the erlang-questions mailing list