On Friday 08 January 2010, Olle E. Johansson wrote:
I know that the number of security reports for SER and
Kamailio are very
low, in fact so low that I can't remember any. However, it can still
happen to us in the future. Do we have any policies and procedure for how
to handle it?
Yes, this is being negative, but also realistic. It's not only about our
own code, we depend on a large number of external libraries that could
release security reports that will affect our user base too, and propably
should be forwarded.
Hi Olle,
we don't have a dedicated security mailing address at the moment, also because
the number of incidents in this regards has been pretty low. What about using
the existing 'management' and 'board' lists for this purpose as well?
In order to announce security related bugs i suggest to forward them to the
user lists, and also to the (low traffic) kamalio announce list.
Cheers,
Henning