[arch-security] How to properly report vulnerabilities
Karol Blazewicz
karol.blazewicz at gmail.com
Sat Jun 28 17:41:47 EDT 2014
On Sat, Jun 28, 2014 at 11:35 PM, Allan McRae <allan at archlinux.org> wrote:
> On 29/06/14 02:23, Karol Blazewicz wrote:
>> Should I open a bug report saying that e.g. some Arch package has
>> certain vulnerability, mark the report as critical and wait for
>> someone to set it as private? How do we deal with such sensitive
>> information?
>>
>> I've looked in the wiki, but neither
>> https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team nor
>> https://wiki.archlinux.org/index.php/CVE-2014 has any info on this.
>>
>
> If you have a private bug to report, then use security at archlinux.org.
> If the bug is public, just file a bug report.
>
> Allan
>
Should I add a warning to the wiki not to report private bugs to the
bug tracker but to the ML?
More information about the arch-security
mailing list