[sr-dev] Security incident management

[Olle E. Johansson]

8 jan 2010 kl. 10.52 skrev Henning Westerholt:

> On Friday 08 January 2010, Olle E. Johansson wrote:
>> I know that the number of security reports for SER and Kamailio are very
>> low, in fact so low that I can't remember any. However, it can still
>> happen to us in the future. Do we have any policies and procedure for how
>> to handle it?
>> 
>> Yes, this is being negative, but also realistic. It's not only about our
>> own code, we depend on a large number of external libraries that could
>> release security reports that will affect our user base too, and propably
>> should be forwarded.
> 
> Hi Olle,
> 
> we don't have a dedicated security mailing address at the moment, also because 
> the number of incidents in this regards has been pretty low. What about using 
> the existing 'management' and 'board' lists for this purpose as well?
Are the old SER team integrated to those lists?


> 
> In order to announce security related bugs i suggest to forward them to the 
> user lists, and also to the (low traffic) kamalio announce list.

Well, sounds like a good first plan - why don't you put it on the web site as a starting point. We need a document that clearly states the process we've decided.

"If you find any security issues with the software, please send e-mail to xxxx at sip-router.org or kamailio.net. From there, a member of the management team will handle it. 

SIP-router security alerts will be sent to the -users list and published on the following URL. Security releases, if needed, will be mentioned in the security alert that will also point out which versions of the software that is affected by the issue."

/O