Hi Scot and Markus, the Drupal security team has been recently switching to a distributed model of responding to incoming security issues.

If you don't get a response from security@drupal.org, then escalate to the Drupal security list and escalate to me as well. Use my kieran at gmail dot com address.  If you need to reach me call me at work at 978-296-5234

Mori and I are the security team coordinators and we work with the 35 members of the Drupal security team to address issues. 

Cheers,
Kieran



2010/1/14 Scott Hadfield <hadsie@gmail.com>
I'm pretty curious about this as well... I submitted a couple issues about some contrib modules almost 6 months ago and never heard back. They weren't that critical so I never followed up, but I have no idea if the mails were even received or if they were just ignored.

- Scott


On Thu, Jan 14, 2010 at 2:33 PM, Markus Kalkbrenner <markus.kalkbrenner@arcor.de> wrote:
Hi!

We discovered a critical security issue in Drupal 6 Core and wrote a mail
about it to security@drupal.org  more than two weeks ago. (2009-12-27)

The only reaction so far was an auto response mail from
security-bounces@drupal.org the next day telling
"All e-mails sent to us are read by a member of the team and acted upon if
necessary."

Now I'm not sure how to continue. Does it take more than two weeks to read
through the mails and I just have to wait or is my message lost?

Markus

mkalkbrenner
http://drupal.org/user/124705