[Koha-devel] Reporting security bugs

[Galen Charlton]

Hi,

There is now a mechanism in place for reporting security bugs via
Bugzilla.  If you look at the footer, you should now see a 'Report
security bug' link.  This allows someone who has a Bugzilla account to
enter a bug in a new BZ product called 'Koha security'.

Bugs reported in this fashion are visible only to the reporter and to
members of a Koha security group currently consisting of the following
individuals:

 Bernardo Gonzalez Kriegel
 Chris Cormack
 Frère Sébastien Marie
 Fridolin SOMERS
 Galen Charlton
 Ian Walls
 Jared Camins-Esakov
 Jonathan Druart
 Katrin Fischer
 Kyle M Hall
 M. de Rooy
 MJ Ray (software.coop)
 Paul Poulain
 Robin Sheat
 Tomás Cohen Arazi

The idea is that members of the security group would be responsible
for evaluating the bugs, fixing them (and drawing in outside help if
needed), and releasing the fixes.  Once a fix is released, the
relevant bug(s) would be sanitized to remove mention of direct
exploits, then have their products changed to 'Koha' so that they
would be visible to all.

This is not set in stone, so I invite discussion of the security
policy. I also invite anybody who may have been sitting on security
bugs for lack of a means to report them securely to go ahead and use
BZ.

Regards,

Galen
-- 
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email:  gmc at esilibrary.com
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
web:    http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org