One thing that could certainly make things simpler would be to have a "security" issue type, for which issues would only be visible to the author and members of the security team. Security issues could then be issued just like normal issues: it would maintain consistency, instead of introducing a specific behaviour for people wishing to report security issues. However, I'm not sure project* will easily support this ? ----- Original Message ----- From: "DragonWize" <dragonwize@gmail.com> To: <development@drupal.org> Sent: Thursday, January 17, 2008 8:00 PM Subject: Re: [development] Think there's a security problem in your module?Here's what to do. [...]
b) You *immediately* send email to security@drupal.org about it to let us know.
Agreed. This easy to understand, perform and educate. Maybe also have other ways for developers & users alike to the security team that doesn't make them have to remember the email address. The more ways to contact them with important information the better. [...]