Re: [Chicken-meisters] Security reports

[Peter Bex]

On Thu, Mar 31, 2011 at 01:27:52PM +0200, Felix wrote:
> From: Peter Bex <address@hidden>
> Subject: [Chicken-meisters] Security reports
> Date: Thu, 31 Mar 2011 13:06:17 +0200
> 
> > Hello all,
> > 
> > I was enjoying myself with making fun at Chamilo for having a shitty
> > security process, but then I realised our situation isn't better; we
> > have no documented way to report security issues (with eggs and/or
> > chicken itself).
> > 
> > I propose setting up a address@hidden, which optionally
> > just sends mail to the chicken-meisters.  This should then be clearly
> > listed on the call-cc.org main page, and on the wiki.  We should then
> > probably announce it on chicken-users, or chicken-hackers too.
> > 
> > If we get this set up we might also document a "security process"
> > that describes how security issues are handled.
> > 
> > What do y'all think?
> 
> Sorry, but what is a "security process"?

Just a clearly documented description of how security issues are handled.
This helps security research perform responsible disclosure.

Something like
http://www.freebsd.org/security/security.html
or
http://drupal.org/security-team

Maybe this is all too much "process". In any case, we do need to document
whatever little process we have, and where to send issues.

Cheers,
Peter
-- 
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
                                                        -- Donald Knuth