[sr-dev] Security incident management

Henning Westerholt henning.westerholt at 1und1.de
Fri Jan 8 10:52:38 CET 2010


On Friday 08 January 2010, Olle E. Johansson wrote:
> I know that the number of security reports for SER and Kamailio are very
>  low, in fact so low that I can't remember any. However, it can still
>  happen to us in the future. Do we have any policies and procedure for how
>  to handle it?
> 
> Yes, this is being negative, but also realistic. It's not only about our
>  own code, we depend on a large number of external libraries that could
>  release security reports that will affect our user base too, and propably
>  should be forwarded.

Hi Olle,

we don't have a dedicated security mailing address at the moment, also because 
the number of incidents in this regards has been pretty low. What about using 
the existing 'management' and 'board' lists for this purpose as well?

In order to announce security related bugs i suggest to forward them to the 
user lists, and also to the (low traffic) kamalio announce list.

Cheers,

Henning



More information about the sr-dev mailing list