Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:114317 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 71279 invoked from network); 9 May 2021 15:44:43 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 9 May 2021 15:44:43 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 384C61804B5 for ; Sun, 9 May 2021 08:52:01 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from zimbra.cu.be (zimbra.cu.be [194.50.97.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 9 May 2021 08:52:00 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by zimbra.cu.be (Postfix) with ESMTP id 0659B41D29E7 for ; Sun, 9 May 2021 15:51:59 +0000 (UTC) Received: from zimbra.cu.be ([IPv6:::1]) by localhost (zimbra.cu.be [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id KHMKZc5PTR6e for ; Sun, 9 May 2021 15:51:58 +0000 (UTC) Received: from localhost (localhost [IPv6:::1]) by zimbra.cu.be (Postfix) with ESMTP id 377A841D29F3 for ; Sun, 9 May 2021 15:51:58 +0000 (UTC) X-Virus-Scanned: amavisd-new at Received: from zimbra.cu.be ([IPv6:::1]) by localhost (zimbra.cu.be [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id YnyLNKfAO9mS for ; Sun, 9 May 2021 15:51:58 +0000 (UTC) Received: from [172.16.150.4] (edge1.cu.be [194.50.97.1]) by zimbra.cu.be (Postfix) with ESMTPSA id 17F3E41D29E7 for ; Sun, 9 May 2021 15:51:58 +0000 (UTC) To: internals@lists.php.net References: Message-ID: <8b3e1bb4-4903-e6b6-14f0-6c219f57c91c@cu.be> Date: Sun, 9 May 2021 17:51:57 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Subject: Re: [PHP-DEV] Bugsnet From: wim.godden@cu.be (Wim Godden) On 9/05/2021 8:48, Joe Watkins wrote: > I'm aware that bugsnet serves as the disclosure method for security bugs > and github doesn't have a solution to that. Leaving that to one side for > now ... Just want to weigh in on this item (also mentioned by Stanislav as an important issue). Although Github doesn't provide a way to submit security issues in a private way, there is a way to send people in the right direction for security disclosures. For a simple example : https://github.com/dask/dask-gateway/issues/new/choose where you can see the 3rd item can point to a separate URL explaining how to report security issues. These could either still be submitted to the bugs.php.net or could use a very simple captcha-enabled form (for anti-spam) that sends the report to specific people. Kind regards, Wim