On 10/08/2012, at 6:33 PM, Wido den Hollander <w...@widodh.nl> wrote:
> I can think of a legitimate reason for having webmaster@ and security@, but > where do we forward them? What do we do with them if the people who it gets > forwarded to are on vacation? > I don't know if webmaster would be useful any more (maybe just forward to the PPMC?). For security, see [1]. The ASF has a dedicated security team for facilitating correct handling of vulnerabilities. Vulnerabilities can be sent directly to them (and they'll engage the PPMC privately, which is what most projects do), or you can have a separate security list (if that group of people differs from the PPMC - see [2]). If there is a separate list, security@ is automatically copied, so someone is always able to respond to a report in a timely manner. > We should make an easy entrance for reporting security issues, but having > e-mail addresses online tends to attract e-mail from people who seek support, > that's what the -users list if for. :) You'll see in any security report [3] that they do get support questions, but it doesn't seem to be a high enough volume to be a problem. I believe they get politely redirected to the right place. Cheers, Brett [1] http://www.apache.org/security/ [2] http://www.apache.org/security/projects.html [3] http://apache.org/foundation/records/minutes/2012/board_minutes_2012_06_20.txt (search for Attachment 6) -- Brett Porter br...@apache.org http://brettporter.wordpress.com/ http://au.linkedin.com/in/brettporter http://twitter.com/brettporter
