[arch-security] How to properly report vulnerabilities

Noel Kuntze noel at familie-kuntze.de
Sat Jun 28 12:33:00 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Karol,

The "procedure" section of [1] says that. However, it only pertains ACMT members. I think any other user could do the same.

[1] https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 28.06.2014 18:23, schrieb Karol Blazewicz:
> Should I open a bug report saying that e.g. some Arch package has
> certain vulnerability, mark the report as critical and wait for
> someone to set it as private? How do we deal with such sensitive
> information?
>
> I've looked in the wiki, but neither
> https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team nor
> https://wiki.archlinux.org/index.php/CVE-2014 has any info on this.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTru48AAoJEDg5KY9j7GZYoE4P/2wtxFqIDkE0nm5y1saORThy
A7eI91nrMhZ4hOlUNc3oa0FHdgocxP3zNnIj/iMpxwNOoFt3FLBfKwWsLzNBJFEE
Lwrg8dwIW+QaGZ9PXVZTHc7J+cmbDqyQzFDsB8q7lmJu+2z9DeChePjh9gZhwelb
n16sbUccK84EWxQpD7Gml+1skraimm8nu7ibGy6xL6y96Wwufyp26kIGxZbRxX0q
m4bLdtG3++HcsrgTZHwPNjKvT8MiVDlyReLWdRbIzLpWCoBIVFU6uL7PK1wVYYqX
4s1yvkf57h4Dy715vq4qxbgEd5hmuPE06EjB1A+2Jv64e+O4ijca1xlXdebr1BFP
W7WA01jgICbMW4qcP1e2zlXqDwYKFJn/sodgIPO0nc28oetco1CXdXHMd/yVKFfR
Aj7a6DQfudO8XWNgiuXRHahrlTEEbCNBREP2OTqO5sQE4hftwBPlE7XcDfTu/8NG
IVPfJ6GIhaflJrPP+nMsm3FPQjQ+L3eK4hANEurzUwH4FXZkoA8OwGDEuv4jXZF1
PLzvMNmwthCdj+6D8jSjoJ2Pg44SXp1if+cwTIrBlMLIpGGUcoP9RmUSRPpdlD/o
geifBrjtkfWqNwZiGzL8uKny8co0g5VC0Rle8wj/ngCOruzud7k3qzL8BiRn1mFB
yuxOjnh1TbrHQSOg2IFy
=wNiw
-----END PGP SIGNATURE-----



More information about the arch-security mailing list