On Friday 08 January 2010, Olle E. Johansson wrote:
we don't have a dedicated security mailing address at the moment, also because the number of incidents in this regards has been pretty low. What about using the existing 'management' and 'board' lists for this purpose as well?
Are the old SER team integrated to those lists?
Hey Olle,
no, we've two different lists at the moment:
- management at kamailio dot org - board at iptel dot org
In order to announce security related bugs i suggest to forward them to the user lists, and also to the (low traffic) kamalio announce list.
Well, sounds like a good first plan - why don't you put it on the web site as a starting point. We need a document that clearly states the process we've decided.
Sounds good.
"If you find any security issues with the software, please send e-mail to xxxx@sip-router.org or kamailio.net. From there, a member of the management team will handle it.
Also fine with me, other projects do it like this as well.
SIP-router security alerts will be sent to the -users list and published on the following URL. Security releases, if needed, will be mentioned in the security alert that will also point out which versions of the software that is affected by the issue."
If its ok to place this on the wiki, you could just create the page and post the link in this discussion, in order to get more/ other feedback. :)
Henning