Security point of contact

[Cym13]

On Sunday, 10 June 2018 at 00:31:55 UTC, Vladimir Panteleev wrote:
> On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
>> Who should I contact?
>>
>> I'd very very much like to have something like a 
>> security at dlang.org for such things, it's not the first and 
>> likely not the last time this need arises, and the lack of a 
>> clear procedure doesn't encourage coordinated disclosure.
>
> Less specifically, it depends on the component / property. 
> There is the https://wiki.dlang.org/People page, which has a 
> list of points of contact.

This is the thing exactly, first of all the idea that the main 
developer of the part of the project impacted should be the one 
receiving the report is sound but far from obvious. In many 
countries there is a (stupid) legal risk associated with 
vulnerability disclosure, so as a researcher you'd rather be sure 
that you're talking to the right person.

Furthermore the list doesn't provide any direct way to contact 
any of those people, which isn't surprising but adds friction. In 
the best case the email is visible on their github account, in 
the worst you need to look at commits and hope the email is still 
valid and the one the person expects to be contact with.

The alternatives are 1) opening a public issue on 
issues.dlang.org, which I did many times where I judged that it 
was acceptable given the issue but I'm never at ease doing it, or 
2) asking as I just did.

I can say with certainty that the current process is a deterrent. 
In the past I decided not to discuss some issues because of it 
(hopefully not to important otherwise I'd have pressed the matter 
and remember what it was about, but judging importance isn't 
easy).

Security is the thing nobody wants to have to think about, but 
it's important nonetheless, so I think it's worth improving the 
process on that point. After all, all issues found and disclosed 
by external people are issues you don't have to find yourself ;)