Subject: Re: libssh2 security

Re: libssh2 security

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Mon, 22 Aug 2016 15:35:31 +0200

On Saturday, August 20, 2016 17:41:45 Daniel Stenberg wrote:
> Hi friends,
>
> One of the remaining steps to make us reach 100% "CII best practices", is to
> make sure we document how we deal with security problems and provide a way
> for users to report such problems without immediately disclosing them to
> the public.
>
> I've written a suggested "security process" for how to handle these sort of
> problems and I've set up an email alias (libssh2-security_at_haxx.se) with a
> closed list of receivers to which suspected vulerabilities can be reported.
>
> The process is my *suggested* approach and I'm interested in feedback and
> comments to make sure we all agree on it. It is right now already easily
> browsable here:
>
> https://github.com/libssh2/libssh2/blob/master/docs/SECURITY.md

Looks good to me! Sorry for replying late on this.

Kamil

> There should be very few surprises in that. It is basically the same
> document I've used in the curl project for many years. I stole it from
> there with permission since I wrote the original =)
>
> I'll make it viewable from the web site too in a day or two, depending on
> the feedback here.
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2016-08-22