On Thu, Nov 10, 2022, at 14:29, Christoph M. Becker wrote: > On 09.11.2022 at 23:27, Nikita Popov wrote: > > > It looks like GitHub has just added support for private security reports: > > https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/ > > > > I haven't looked into the details, but it probably makes sense to enable > > those on php-src and make this our official venue for security bug reports. > > This would allow retiring the last remaining use of bugs.php.net (well, > > apart from the archive of old issues, which should of course remain). > > I agree, but maybe the security team is in favor of sticking with > bugs.php.net.
I noticed that the php-src repo does enable private vulnerability reports now, and there is one sitting around without response at https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv. Possibly this was enabled unintentionally / without coordination with the security team? That should probably either be disabled again, or someone needs to keep an eye on it. Regards, Nikita
