[sr-dev] Security incident management
Henning Westerholt
henning.westerholt at 1und1.de
Fri Jan 8 10:52:38 CET 2010
On Friday 08 January 2010, Olle E. Johansson wrote:
> I know that the number of security reports for SER and Kamailio are very
> low, in fact so low that I can't remember any. However, it can still
> happen to us in the future. Do we have any policies and procedure for how
> to handle it?
>
> Yes, this is being negative, but also realistic. It's not only about our
> own code, we depend on a large number of external libraries that could
> release security reports that will affect our user base too, and propably
> should be forwarded.
Hi Olle,
we don't have a dedicated security mailing address at the moment, also because
the number of incidents in this regards has been pretty low. What about using
the existing 'management' and 'board' lists for this purpose as well?
In order to announce security related bugs i suggest to forward them to the
user lists, and also to the (low traffic) kamalio announce list.
Cheers,
Henning
More information about the sr-dev
mailing list