No reaction on security mails?
Hi! We discovered a critical security issue in Drupal 6 Core and wrote a mail about it to security@drupal.org more than two weeks ago. (2009-12-27) The only reaction so far was an auto response mail from security-bounces@drupal.org the next day telling "All e-mails sent to us are read by a member of the team and acted upon if necessary." Now I'm not sure how to continue. Does it take more than two weeks to read through the mails and I just have to wait or is my message lost? Markus mkalkbrenner http://drupal.org/user/124705
I'm pretty curious about this as well... I submitted a couple issues about some contrib modules almost 6 months ago and never heard back. They weren't that critical so I never followed up, but I have no idea if the mails were even received or if they were just ignored. - Scott On Thu, Jan 14, 2010 at 2:33 PM, Markus Kalkbrenner < markus.kalkbrenner@arcor.de> wrote:
Hi!
We discovered a critical security issue in Drupal 6 Core and wrote a mail about it to security@drupal.org more than two weeks ago. (2009-12-27)
The only reaction so far was an auto response mail from security-bounces@drupal.org the next day telling "All e-mails sent to us are read by a member of the team and acted upon if necessary."
Now I'm not sure how to continue. Does it take more than two weeks to read through the mails and I just have to wait or is my message lost?
Markus
mkalkbrenner http://drupal.org/user/124705
Hi Scot and Markus, the Drupal security team has been recently switching to a distributed model of responding to incoming security issues. If you don't get a response from security@drupal.org, then escalate to the Drupal security list and escalate to me as well. Use my kieran at gmail dot com address. If you need to reach me call me at work at 978-296-5234 Mori and I are the security team coordinators and we work with the 35 members of the Drupal security team to address issues. Cheers, Kieran 2010/1/14 Scott Hadfield <hadsie@gmail.com>
I'm pretty curious about this as well... I submitted a couple issues about some contrib modules almost 6 months ago and never heard back. They weren't that critical so I never followed up, but I have no idea if the mails were even received or if they were just ignored.
- Scott
On Thu, Jan 14, 2010 at 2:33 PM, Markus Kalkbrenner < markus.kalkbrenner@arcor.de> wrote:
Hi!
We discovered a critical security issue in Drupal 6 Core and wrote a mail about it to security@drupal.org more than two weeks ago. (2009-12-27)
The only reaction so far was an auto response mail from security-bounces@drupal.org the next day telling "All e-mails sent to us are read by a member of the team and acted upon if necessary."
Now I'm not sure how to continue. Does it take more than two weeks to read through the mails and I just have to wait or is my message lost?
Markus
mkalkbrenner http://drupal.org/user/124705
Hi Markus, Thank you very much for your report and sorry we haven't responded to you. We have received your email and one of the security team members will respond shortly. The situation surrounds Drupal has changed significantly in the past couple of years. With the drastic increase in number of users, as well as contrib modules, we are receiving more reports than before. After Drupalcon Paris, we have been trying to establish a new report/issue handling process and we are becoming more efficient. But we are also aware that we need to make efforts to further streamline the process so please bear with us. Should this happen again, please contact one of the security team coordinators (me, Mori Sugimoto a.k.a dokumori or Kieran Lai a.k.a amazon). Thanks again for your report and contribution. Cheers, Mori On 14/01/2010 12:33, Markus Kalkbrenner wrote:
Hi!
We discovered a critical security issue in Drupal 6 Core and wrote a mail about it to security@drupal.org more than two weeks ago. (2009-12-27)
The only reaction so far was an auto response mail from security-bounces@drupal.org the next day telling "All e-mails sent to us are read by a member of the team and acted upon if necessary."
Now I'm not sure how to continue. Does it take more than two weeks to read through the mails and I just have to wait or is my message lost?
Markus
mkalkbrenner http://drupal.org/user/124705
Hi Mori, thanks for the update. Markus Am Donnerstag 14 Januar 2010 16:18:41 schrieb Mori Sugimoto:
Hi Markus,
Thank you very much for your report and sorry we haven't responded to you. We have received your email and one of the security team members will respond shortly.
The situation surrounds Drupal has changed significantly in the past couple of years. With the drastic increase in number of users, as well as contrib modules, we are receiving more reports than before. After Drupalcon Paris, we have been trying to establish a new report/issue handling process and we are becoming more efficient. But we are also aware that we need to make efforts to further streamline the process so please bear with us.
Should this happen again, please contact one of the security team coordinators (me, Mori Sugimoto a.k.a dokumori or Kieran Lai a.k.a amazon).
Thanks again for your report and contribution.
Cheers,
Mori
On 14/01/2010 12:33, Markus Kalkbrenner wrote:
Hi!
We discovered a critical security issue in Drupal 6 Core and wrote a mail about it to security@drupal.org more than two weeks ago. (2009-12-27)
The only reaction so far was an auto response mail from security-bounces@drupal.org the next day telling "All e-mails sent to us are read by a member of the team and acted upon if necessary."
Now I'm not sure how to continue. Does it take more than two weeks to read through the mails and I just have to wait or is my message lost?
Markus
mkalkbrenner http://drupal.org/user/124705
participants (4)
-
Kieran Lal -
Markus Kalkbrenner -
Mori Sugimoto -
Scott Hadfield