28 Jun
2014
28 Jun
'14
9:41 p.m.
On Sat, Jun 28, 2014 at 11:35 PM, Allan McRae <allan@archlinux.org> wrote:
On 29/06/14 02:23, Karol Blazewicz wrote:
Should I open a bug report saying that e.g. some Arch package has certain vulnerability, mark the report as critical and wait for someone to set it as private? How do we deal with such sensitive information?
I've looked in the wiki, but neither https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team nor https://wiki.archlinux.org/index.php/CVE-2014 has any info on this.
If you have a private bug to report, then use security@archlinux.org. If the bug is public, just file a bug report.
Allan
Should I add a warning to the wiki not to report private bugs to the bug tracker but to the ML?