see email thread here
I like Chris' proposal to use Github security advisories as our primary means for coordinating and executing the response to incoming security bug reports. Currently the vast majority of our security bug reports come in through emails sent to the email@example.com mailing list. This proposal would not change that. We require security bugs to be reported confidentially and the mailing list works, and has worked, just fine for this.
For coordinating and executing the response, we use confidential security bugs in JIRA however it doesn't work as well as we would like. JIRA does not help us collaborate and track the work on private branches used for fixing security bugs. JIRA also doesn't handle well adding individual engineers needed to address security bugs.
Github security advisories do both confidential coordination and collaboration much better and I think it would make our response to security bugs more efficient and transparent, first within the security team and then later with the community. Now that we have all of our repos hosted on Github, this is a real possibility.
My recommendation is that we begin using Github Security Advisories to handling incoming security bugs.
I don't think this really concerns the TSC because it doesn't affect the external facing interface to the Security team. I think we can close this item out. The decision will be made on the security@ mailing list.
Arnaud J Le Hors ^^^
Powered by a free Atlassian Confluence Community License granted to The Linux Foundation. Evaluate Confluence today.