PGP key for vulnerability reports
Ethan Blanton
elb at pidgin.im
Fri Oct 11 05:28:27 EDT 2013
Richard Johnson spake unto us the following wisdom:
> Hello, our research team has found a number of vulnerabilities in
> libpurple, including fully controlled remote execution. What is the proper
> procedure for submitting bugs?
You are following it. :-) For security-related bugs, please send the
details to this mailing list, and we will arrange for a CVE (unless
you wish to do so yourselves), bug fix, embargo with our packagers,
and a public release date. As we are a large all-volunteer project,
these things normallly take some time -- however, we will proceed as
rapidly as possible for a remote execution vulnerability. As I am
sure you understand, we do ask that you respect the embargo date we
set and withold your own publication until that date. Please provide
us with whatever crediting information you wish for us to include in
the CVE and news items -- research institution, individual discoverer,
email address, etc.
If you wish to encrypt your report, you can encrypt it to my public
key, 0x771fc72b. I am currently traveling and there may be some
latency for a confirmation, but I will distribute the information as
appropriate.
Ethan
More information about the security
mailing list