Who should security issues be reported to?

[Fuzzyman]

grahamd at dscpl.com.au wrote:
> Aahz wrote:
> > In article <1106863164.745581.11920 at f14g2000cwb.googlegroups.com>,
> >  <grahamd at dscpl.com.au> wrote:
> > >
> > >Who are the appropriate people to report security problems to in
> > >respect of a module included with the Python distribution?  I
don't
> > >feel it appropriate to be reporting it on general mailing lists.
> >
> > There is no generally appropriate non-public mechanism for
reporting
> > security issues.  If you really think this needs to be handled
> > privately, do some research to find out which core developer is
most
> > likely to be familiar with it.  Even before you do that, check
> > SourceForge to find out whether anyone else has reported it as a
bug.
>
> I find this response a bit dissappointing frankly. Open Source people
> make
> such a big deal about having lots of people being able to look at
> source
> code and from that discover security problems, thus making it somehow
> making it better than proprietary source code. From what I can see,
if
> an
> Open Source project is quite large with lots of people involved, it
> makes it
> very hard to try and identify who you should report something to when
> there is no clearly identifiable single point of contact for security
> related

The sourceforge bug tracker *is* the single right place to post such
issues. The py-dev mailing list would be a second *useful* place to
post such a comment, although not really the right place. The OP seemed
to want an individual with whom he could have a private conversation
about it.

Regards,


Fuzzy
http://www.voidspace.org.uk/python/index.shtml

> issues. Why should I have to go through hoops to try and track down
who
> is appropriate to send it to? All you need is a single advertised
email
> address
> for security issues which is forwarded onto a small group of
developers
> who can then evaluate the issue and forward it on to the appropriate
> person.
> Such developers could probably do such evaluation in minutes, yet I
> have
> to spend a lot longer trying to research who to send it to and then
> potentially
> wait days for some obscure person mentioned in the source code who
has
> not touched it in years to respond, if at all. Meanwhile you have a
> potentially
> severe security hole sitting there wating for someone to expliot,
with
> the
> only saving grace being the low relative numbers of users who may be
> using
> it in the insecure manner and that it would be hard to identify the
> actual web
> sites which suffer the problem.
>
> I'm sorry, but this isn't really good enough. If Open Source wants to
> say that
> they are better than these proprietary companies, they need to deal
> with these
> sorts of things more professionally and establish decent channels of
> communications for dealing with it.
>
> And yes I have tried mailing the only people mentioned in the module
in
> question and am still waiting for a response.