On Wed, Sep 7, 2022 at 7:45 PM Ben Cotton <bcotton@redhat.com> wrote:

On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel
<devel@lists.fedoraproject.org> wrote:
>
> Does anyone know how to reach prodsec about this?

I'll reach out to the people I know and see what the best way to get
them in this conversation is.

Has this conversation been started yet? Because the CVE reporting system doesn't seem to have been improved at all - in fact a recent CVE bug (https://bugzilla.redhat.com/show_bug.cgi?id=2141029) was filed, had over 179 people added to the CC list, and there is no mention at all of which applications were identified as being affected or any other tracking bugs filed for those affected applications. So as a maintainer, I am then unsure why I was CC'd on the bug and which application prod sec wants me to examine for the vulnerability (especially since to my knowledge, none of the packages I maintain even use electron in any way or have its code contained inside of them).