Hi Scot and Markus, the Drupal security team has been recently switching to a distributed model of responding to incoming security issues. If you don't get a response from security@drupal.org, then escalate to the Drupal security list and escalate to me as well. Use my kieran at gmail dot com address. If you need to reach me call me at work at 978-296-5234 Mori and I are the security team coordinators and we work with the 35 members of the Drupal security team to address issues. Cheers, Kieran 2010/1/14 Scott Hadfield <hadsie@gmail.com>
I'm pretty curious about this as well... I submitted a couple issues about some contrib modules almost 6 months ago and never heard back. They weren't that critical so I never followed up, but I have no idea if the mails were even received or if they were just ignored.
- Scott
On Thu, Jan 14, 2010 at 2:33 PM, Markus Kalkbrenner < markus.kalkbrenner@arcor.de> wrote:
Hi!
We discovered a critical security issue in Drupal 6 Core and wrote a mail about it to security@drupal.org more than two weeks ago. (2009-12-27)
The only reaction so far was an auto response mail from security-bounces@drupal.org the next day telling "All e-mails sent to us are read by a member of the team and acted upon if necessary."
Now I'm not sure how to continue. Does it take more than two weeks to read through the mails and I just have to wait or is my message lost?
Markus
mkalkbrenner http://drupal.org/user/124705