On 30.12.2022 at 22:12, Nikita Popov wrote: > On Thu, Nov 10, 2022, at 14:29, Christoph M. Becker wrote: > >> On 09.11.2022 at 23:27, Nikita Popov wrote: >> >>> It looks like GitHub has just added support for private security reports: >>> https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/ >>> >>> I haven't looked into the details, but it probably makes sense to enable >>> those on php-src and make this our official venue for security bug reports. >>> This would allow retiring the last remaining use of bugs.php.net (well, >>> apart from the archive of old issues, which should of course remain). >> >> I agree, but maybe the security team is in favor of sticking with >> bugs.php.net. > > I noticed that the php-src repo does enable private vulnerability reports > now, and there is one sitting around without response at > https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv. > > Possibly this was enabled unintentionally / without coordination with the > security team? That should probably either be disabled again, or someone > needs to keep an eye on it.
I had enabled that some weeks ago, since there has been a spam attack on bugsnet, so we could test the new feature. I probably should have written to list right away, or at least have kept an eye on it, but I've assumed to be notified about reported issues. I'll have a closer look at the rather verbose report tomorrow, if nobody beats me to it. Generally, I'm in favor of keeping security reports on Github enabled; we should stop user (not developer) comments on bugsnet as soon as possible; there is already more spam than useful comments for quite a while, and I think Github offers better feature to handle that. Regarding the access rights on security advisories: currently only php owners[1] may see and collaborate there. To my knowledge, most of those who are subscribed to the security mailing list are already in that group, but if need be, others might be added, or maybe it's preferable to create a new team for this. Thoughts? [1] <https://github.com/orgs/php/people?query=role%3Aowner> -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
