Security Mailing List Proposal

From Koha Wiki

Jump to: navigation, search

- Background

  • An individual has started combing the Koha code for SQL injections and reporting them to us
  • Had asked how to report, was told (for lack of better alternative) to email current and past RMs, RMaints, and QAMs

- Proposal: We publish a way to report security bugs

  • preference to simply use Bugzilla
  • issues judged by the reporter to be more sensitve to be sent to a mailing list

- Mailing list

  • form a new mailing list to be called koha-security
  • initial membership to be RMs, RMaints, QAMs, past, present, and future
  • other interested devs can join on request
  • focus is on timely response to security issues, not abrogating the scope of koha-devel
  • publicly archived, but with a delay of six months to allow fixes to be made before exploits are published
  • preference is to have discussion on koha-devel; security list meant for fast response and discussion of sensitive issues that would threaten library catalogs if an exploit got published prematurely
  • concurrent with starting koha-security, closing the old koha-manage list

- Security advisories

  • Get registered for CVEs?

- Start a position of Security Manager?