10/29/2022, 5:45 PM
Hey I'm going through Linux Foundation class on secure software development. They recommend OSS projects have a top-level
file for how people should report vulnerabilities. Thoughts on formalizing our process?
The only precedent I see is
, where we direct a user to email
We could simply formalize that. Or, create a dedicated e.g. Google group that mirrors our Code of Conduct. That is, multiple people can be in the group
10/30/2022, 6:56 PM
Without how much people reach out on slack for literally everything else. Seems to me if someone did want to report something they'd just ask here where to report it
10/31/2022, 4:33 PM
Someone shouldn't need to create a slack account just to report a security issue though.