On 09/16/2015 11:05 AM, Eric Christensen wrote:
On Wednesday, September 16, 2015 10:59:04 AM David Cafaro wrote:
> The security-team list should be for all public issues. The security@
> address is for embargoed or new bugs (that may end up being embargoed
> depending on how the security@ list members handle it).
I think this is a confusion point...
We actually have three lists:
security@, security-team@, and security-private@. I believe the first was
setup to answer questions from the community, the second was setup as a
discussion area between team members, while the third was setup for what,
exactly, I don't know exactly (I can speculate).
I wouldn't use the first two to discuss embargoed items and I'm not sure I'd
use security-private either. It depends on how we extend the trust of
knowledge of embargoed items and I'm not the one to talk to about that.
Sorry, I should use more precision on that. The security@ I am
referring to is not the list one. So emails we are talking about are:
security(a)fp.org = New issues reporting to be kept private at first (private)
security(a)lists.fp.org = General public security discussion (public viewable)
security-team(a)lists.fp.org = Security team discussion (public viewable)
security-private(a)lists.fp.org = ??? (private)
Thanks,
David