From 2a9e9f13f6583ba04bca06750373d462985c5ccb Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 19 Dec 2016 16:23:54 +0000 Subject: [PATCH] List security contacts We still don't have a security@ alias; listing personal emails is unfortunately the next-best thing. --- doc/bugs.mdwn | 4 ++++ doc/security.mdwn | 9 +++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/doc/bugs.mdwn b/doc/bugs.mdwn index f16a4f8e1..86df60408 100644 --- a/doc/bugs.mdwn +++ b/doc/bugs.mdwn @@ -3,6 +3,10 @@ elsewhere. Link items to [[bugs/done]] when done. Also see the [Debian bugs](http://bugs.debian.org/ikiwiki). +If you are reporting a security vulnerability, please email the maintainers +privately, instead of making it public by listing it here. See [[security]] +for contact details. + There are [[!pagecount pages="bugs/* and !bugs/done and !bugs/discussion and !link(patch) and !link(bugs/done) and !bugs/*/*" feedpages="created_after(bugs/no_commit_mails_for_new_pages)"]] "open" bugs: diff --git a/doc/security.mdwn b/doc/security.mdwn index 6d68fac00..e4851ecf5 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -1,11 +1,16 @@ -Let's do an ikiwiki security analysis. - If you are using ikiwiki to render pages that only you can edit, do not generate any wrappers, and do not use the cgi, then there are no more security issues with this program than with cat(1). If, however, you let others edit pages in your wiki, then some possible security issues do need to be kept in mind. +If you find a new security vulnerability, please email the maintainers +privately instead of listing it in a public bug tracker, so that we can +arrange for coordinated disclosure when a fix is available. The maintainers +are [[Joey Hess|joey]] (), +[[Simon McVittie|smcv]] () +and [[Amitai Schleier|schmonz]] (`schmonz-web-ikiwiki schmonz com`). + [[!toc levels=2]] ----