On Wed, 16 Sep 2015 07:30:52 -0500 Major Hayden wrote:
On 09/16/2015 12:46 AM, pjp(a)fedoraproject.org wrote:
> That's right. We need to publicise 'security(a)fp.o' address for
> users to report issues to FST.
Before doing that, it should be figured out how to handle those
reports. Traditionally, only RH employees, RH SRT members pretty much,
were on the list. Handling of embargoed stuff in Fedora has been
avoided in general.
Updated with that address mentioned for critical bugs:
https://gist.github.com/major/2dbb21b8f42dd882439d
In addition to the concerns above, I think you should distinguish
critical and embargoed / non-public. security-team(a)l.fp.o should still
be preferred for any discussion of critical but already public issue.
--
Tomas Hoger / Red Hat Product Security