[Code] Is there a proper way to report security issue in php-openid?

Kousuke Ebihara kousuke at co3k.org
Sun Aug 18 03:53:58 UTC 2013 

Hi,

> I'd like to propose a method of how to report security issues,

Marco, it is very good attitude.

In the usual case, as in RFC 2142, security at example.com is good place to report security issues, however you have already this named list for *protocol level* security issue [1]_ (and this archive is published [2]_ ).

Using security flag in launchpad looks like good, but it might be difficult for some of security reporters to use, so I recommend you to write a little detailed manual for how to report.

And FYI, I've suggested to Symfony about its security issues handling process in last year [3]_ and they improved it [4]_. I think my suggestions and their improvements might be good example for you.

.. [1] : http://wiki.openid.net/w/page/12995230/Security
.. [2] : http://lists.openid.net/pipermail/openid-security/
.. [3] : https://groups.google.com/d/msg/symfony-devs/HeEcBlbjM-c/GeoE_hPSMoAJ
.. [4] : http://symfony.com/blog/security-issue-management-improvements

(2013/08/12 15:58), Marco Ceppi wrote:
> While this is being discussed off-list, I'd like to propose a method of how to report security issues, via some escalation path,that maintainers and trusted contributors can read and respond to outside of the public scope. I know in launchpad you can specify is a bug is a security issue, which would notify only the projects members and make the bug only visible to them until the "security" flag was removed.
> 
> I don't think there is a comparable feature in Github, so would setting up a second list be something to investigate? Or should we just have in the README to email X, Y, and Z with the issue?
> 
> Thanks
> Marco Ceppi
> 
> 
> On Sun, Aug 11, 2013 at 6:55 PM, Kousuke Ebihara <kousuke at co3k.org <mailto:kousuke at co3k.org>> wrote:
> 
>     Hi,
> 
>     I've found a security vulnerability in the current master branch of php-openid (ed87a679d5ef18178b0f0c0c41f9e391e21267ac).
> 
>     https://github.com/openid/php-openid
> 
>     So I want to report it ASAP, but I can't see where I should report it to.
> 
>     Is there a proper way to report security issue in php-openid?
> 
>     Thanks,
>     Kousuke
> 
>     --
>     Kousuke Ebihara <kousuke at co3k.org <mailto:kousuke at co3k.org>>
>     http://co3k.org/
>     _______________________________________________
>     Code mailing list
>     Code at lists.openid.net <mailto:Code at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-code
> 
> 

-- 
Kousuke Ebihara <kousuke at co3k.org>
http://co3k.org/

More information about the Code mailing list