(context post by knightmb)

Since we mostly communicate by forum here, the closest would be a member group that has access to a special forum here just for that issue that the public can’t normally see. I’m fairly certain the simple machines forum supports that feature?

[Deleted] Quote from: davidonpda on July 29, 2010, 08:17:31 PM

I’d support the idea. More trusted members and programmers could post security risks or exploits. Maybe the better way is just to message the developer if they are discovered.

Both can work, but a members forum would help to keep out the noise; otherwise everyone will end up messaging the lead developer with every possible thing they here in the news and end up taking his/her time to filter it out on whether it’s really a risk or not.

BTW, an important feature of these mailing lists is that anyone can post… but only the “vendor security” group can read the posts.

Thus, it is easy for an outsider with a real security issue to provide detailed information to vendor-sec@myopensourceproject.org, while preventing unscrupulous people from reading the sensitive information.

I suppose a PM to , plus discussion on a closed forum, is the best this forum software can handle.

Actually, it works well to just PM me.  I’m the one who’s going to be fixing it.  If you find a security flaw, I would definitely like to hear from you privately to fix it before it goes public.