[Koha-devel] Reporting security bugs
Galen Charlton
gmc at esilibrary.com
Tue Feb 4 23:40:50 CET 2014
Hi,
There is now a mechanism in place for reporting security bugs via
Bugzilla. If you look at the footer, you should now see a 'Report
security bug' link. This allows someone who has a Bugzilla account to
enter a bug in a new BZ product called 'Koha security'.
Bugs reported in this fashion are visible only to the reporter and to
members of a Koha security group currently consisting of the following
individuals:
Bernardo Gonzalez Kriegel
Chris Cormack
Frère Sébastien Marie
Fridolin SOMERS
Galen Charlton
Ian Walls
Jared Camins-Esakov
Jonathan Druart
Katrin Fischer
Kyle M Hall
M. de Rooy
MJ Ray (software.coop)
Paul Poulain
Robin Sheat
Tomás Cohen Arazi
The idea is that members of the security group would be responsible
for evaluating the bugs, fixing them (and drawing in outside help if
needed), and releasing the fixes. Once a fix is released, the
relevant bug(s) would be sanitized to remove mention of direct
exploits, then have their products changed to 'Koha' so that they
would be visible to all.
This is not set in stone, so I invite discussion of the security
policy. I also invite anybody who may have been sitting on security
bugs for lack of a means to report them securely to go ahead and use
BZ.
Regards,
Galen
--
Galen Charlton
Manager of Implementation
Equinox Software, Inc. / The Open Source Experts
email: gmc at esilibrary.com
direct: +1 770-709-5581
cell: +1 404-984-4366
skype: gmcharlt
web: http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org
More information about the Koha-devel
mailing list