[Projects] responsible disclosure
Jody Garnett
jody.garnett at gmail.com
Sat Jun 27 15:03:20 PDT 2015
Wanted to bring up an idea for OSGeo projects around the responsible
disclosure of security vulnerabilities.
I have some working notes in a blog post here
<http://blog.geoserver.org/2015/06/27/geoserver-xee-vulnerability/> that
will be making their way into the geoserver developers guide and website:
*Responsible Disclosure*
> If you encounter a security vulnerability in GeoServer, or any other open
> source software, please take care to report the issue in a responsible
> fashion:
>
> - Keep exploit details out of issue report (send to developer/PSC
> privately – just like you would do for sensitive sample data)
> - Be prepared to work with Project Steering Committee (PSC) members on
> a solution
> - Keep in mind PSC members are volunteers and an extensive fix may
> require fundraising / resources
>
> If you are not in position to communicate in public (or make use of the
> issue tracker) please consider commercial support
> <http://geoserver.org/support/>, contacting a PSC member
> <http://docs.geoserver.org/latest/en/developer/policies/psc.html#current-psc> privately
> or contacting us via the Open Source Geospatial Foundation at
> info at osgeo.org.
While I would hope some of the above is common sense, please consider your
projects guidelines (perhaps something like the above would be appropriate).
Aside: I have taken the liberty of using info at osgeo.org as a contact point
for the GeoServer PSC as it is a public email address suitable for
communication. In the past Jeff (or others) have been kind enough to make
an appropriate introduction to a member of the GeoServer PSC.
Any feedback/discussion welcome.
--
Jody Garnett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/projects/attachments/20150627/a2888d64/attachment.html>
More information about the Projects
mailing list