On 2021-03-08, Gary Gregory wrote: > Are we talking about a human sending emails to the security list or letting > the actual tool loose on the list to possibly spam it with false positives?
We are talking about a tool sending mails that (currently) is unable to identify whether an issue it detects is security critical or not. I propose a new subscription moderated list so people can decide whether they want to see the mails - and we don't leak sensitive information by accident. Human beings subscribed to said list can then escalate to security@ as necessary. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
