On 18.11.2021 at 15:19, Nikita Popov wrote: > On Thu, Nov 18, 2021 at 2:53 PM Matthew Weier O'Phinney < > mweierophin...@gmail.com> wrote: > >> With Laminas, we use an email alias to allow researchers to report to us. >> We then post the full report as a security issue on GitHub - it's a feature >> they rolled out late 2019/early 2020 that restricts visibility to >> maintainers initially, but allows inviting others to collaborate (we invite >> the reporter immediately, for instance). It also creates a private branch >> for collaboration. When the patch has been merged, you can mark the issue >> public. > > Thanks for the suggestion! That does sound generally viable to me. Just to > clarify, this is not making use of issues, but rather of "advisories", > which GH implements as an independent feature. > > I'm not involved in security response, so I can't say whether the security > group would want to adopt such a process. This is probably something that > should be decided among the people who handle security issues, rather than > here.
Yeah, I suggest to decouple the security reporting issue from this RFC. That can and should be decided by other people, and wouldn't need an RFC, in my opinion. Just a quick note here, that the handling of security reports is rather suboptimal on bugsnet. Patches need to be shared via secrets Gists (or similar) since even the reporter can't access attached patches. -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
