Hi! To avoid future problems with security hole reporting, I'd advice creating a security-team@drupal.org (or sg like that) address and advocating it on drupal.org homepage or at least on the Support page. A few select people should get these emails. So there will be no confusion where security holes must be reported. I know that most probably Dries and Steven will get these, but we can not assume that anyone who happens to stumble on a security hole knows our leaders. Regards Karoly Negyesi