Security point of contact
cpicard at openmailbox.org
Sun Jun 10 00:59:11 UTC 2018
On Sunday, 10 June 2018 at 00:31:55 UTC, Vladimir Panteleev wrote:
> On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
>> Who should I contact?
>> I'd very very much like to have something like a
>> security at dlang.org for such things, it's not the first and
>> likely not the last time this need arises, and the lack of a
>> clear procedure doesn't encourage coordinated disclosure.
> Less specifically, it depends on the component / property.
> There is the https://wiki.dlang.org/People page, which has a
> list of points of contact.
This is the thing exactly, first of all the idea that the main
developer of the part of the project impacted should be the one
receiving the report is sound but far from obvious. In many
countries there is a (stupid) legal risk associated with
vulnerability disclosure, so as a researcher you'd rather be sure
that you're talking to the right person.
Furthermore the list doesn't provide any direct way to contact
any of those people, which isn't surprising but adds friction. In
the best case the email is visible on their github account, in
the worst you need to look at commits and hope the email is still
valid and the one the person expects to be contact with.
The alternatives are 1) opening a public issue on
issues.dlang.org, which I did many times where I judged that it
was acceptable given the issue but I'm never at ease doing it, or
2) asking as I just did.
I can say with certainty that the current process is a deterrent.
In the past I decided not to discuss some issues because of it
(hopefully not to important otherwise I'd have pressed the matter
and remember what it was about, but judging importance isn't
Security is the thing nobody wants to have to think about, but
it's important nonetheless, so I think it's worth improving the
process on that point. After all, all issues found and disclosed
by external people are issues you don't have to find yourself ;)
More information about the Digitalmars-d