On Wednesday, September 16, 2015 10:59:04 AM David Cafaro wrote:
The security-team list should be for all public issues. The
security@
address is for embargoed or new bugs (that may end up being embargoed
depending on how the security@ list members handle it).
I think this is a confusion point...
We actually have three lists:
security@, security-team@, and security-private@. I believe the first was
setup to answer questions from the community, the second was setup as a
discussion area between team members, while the third was setup for what,
exactly, I don't know exactly (I can speculate).
I wouldn't use the first two to discuss embargoed items and I'm not sure I'd
use security-private either. It depends on how we extend the trust of
knowledge of embargoed items and I'm not the one to talk to about that.
--Eric