[riot-notifications] [RIOT-OS/RIOT] Improve visibility of security team (#10752)

PyroPeter notifications at github.com
Fri Jan 11 01:26:44 CET 2019


When @nmeum and I wanted to disclose a vulnerability yesterday, I was convinced that RIOT didn't have a security team. This caused us to assess the impact ourselves and choose a full-disclosure strategy. To our surprise, @miri64 et. al. immediately started to mitigate the issue, leading to it being fixed less than 24 hours after disclosure. Please accept my apologies for putting you through all that stress and a sleepless night!

In an attempt to still get something productive from this experience, I will now list ways in which I could have noticed the existence of a security team (in a rather obvious attempt at justifying myself, I guess (again, sorry...)):

* [ ] Mention on http://riot-os.org/
* [ ] Mention on https://github.com/RIOT-OS/RIOT
* [x] Mention in the "New issue" template
* [ ] Publish security advisories (to devel@ and users@?)
* [ ] Create a list of security incidents (e.g. https://tls.mbed.org/security)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/issues/10752
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190110/d21478bf/attachment.html>


More information about the notifications mailing list