On Fri, Dec 30, 2022, at 22:39, Christoph M. Becker wrote: > On 30.12.2022 at 22:12, Nikita Popov wrote: > > > On Thu, Nov 10, 2022, at 14:29, Christoph M. Becker wrote: > > > >> On 09.11.2022 at 23:27, Nikita Popov wrote: > >> > >>> It looks like GitHub has just added support for private security reports: > >>> https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/ > >>> > >>> I haven't looked into the details, but it probably makes sense to enable > >>> those on php-src and make this our official venue for security bug > >>> reports. > >>> This would allow retiring the last remaining use of bugs.php.net (well, > >>> apart from the archive of old issues, which should of course remain). > >> > >> I agree, but maybe the security team is in favor of sticking with > >> bugs.php.net. > > > > I noticed that the php-src repo does enable private vulnerability reports > > now, and there is one sitting around without response at > > https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv. > > > > Possibly this was enabled unintentionally / without coordination with the > > security team? That should probably either be disabled again, or someone > > needs to keep an eye on it. > > I had enabled that some weeks ago, since there has been a spam attack on > bugsnet, so we could test the new feature. I probably should have > written to list right away, or at least have kept an eye on it, but I've > assumed to be notified about reported issues. > > I'll have a closer look at the rather verbose report tomorrow, if nobody > beats me to it. > > Generally, I'm in favor of keeping security reports on Github enabled; > we should stop user (not developer) comments on bugsnet as soon as > possible; there is already more spam than useful comments for quite a > while, and I think Github offers better feature to handle that. > > Regarding the access rights on security advisories: currently only php > owners[1] may see and collaborate there. To my knowledge, most of those > who are subscribed to the security mailing list are already in that > group, but if need be, others might be added, or maybe it's preferable > to create a new team for this. > > Thoughts?
Security bug reports on GitHub have been active for a while now, with about 10 reports having been processed. I wanted to check back whether security folks are happy with the process, and whether it is time to make this the official channel for security reports, which would allow us to disable issue creation on bugs.php.net entirely. (I saw that the reports are 90% spam at this point.) Regards, Nikita
