[Code] Is there a proper way to report security issue in php-openid?
Kurt Seifried
kurt at seifried.org
Mon Aug 19 00:44:29 UTC 2013
On Sat, Aug 17, 2013 at 9:53 PM, Kousuke Ebihara <kousuke at co3k.org> wrote:
> Hi,
>
> > I'd like to propose a method of how to report security issues,
>
> Marco, it is very good attitude.
>
> In the usual case, as in RFC 2142, security at example.com is good place to
> report security issues, however you have already this named list for
> *protocol level* security issue [1]_ (and this archive is published [2]_ ).
>
one note: there's no reason security@ can't do double duty. Unless you make
it really clear of a web page like /security/index.html or something people
will probably email it there anyways.
>
> Using security flag in launchpad looks like good, but it might be
> difficult for some of security reporters to use, so I recommend you to
> write a little detailed manual for how to report.
>
Problems with this is 1) is it secure? 2) is it easy to do properly?
If someone wants to report a serious 0day issue and keep it embargoed,
encrypted email is usually the best,. I hate, hate, hate, having to contact
upstreams through their bug trackers where I have no idea who can see the
"private" or "Security" bug I'm filing (my day job is Security Response
Team @Red Hat, so I do a lot of this, trust me, email is best).
--
Kurt Seifried
kurt at seifried.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20130818/ade8d868/attachment.html>
More information about the Code
mailing list